~/f/scap-security-guide/RPMS.2017 ~/f/scap-security-guide
~/f/scap-security-guide
RPMS.2017/scap-security-guide-0.1.68-0.0.noarch.rpm RPMS/scap-security-guide-0.1.68-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-0.1.68-0.0.noarch.rpm to scap-security-guide-0.1.68-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide
--- old-rpm-tags
+++ new-rpm-tags
@@ -234,9 +234,9 @@
-/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 5a8aa47e8af467715f6ce96e748afff07134101a11d116d5bfd7deab4ad859d5 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html c06a719f5899b44401d17387be2fb7b30bfac38aac258b48ba8d3efa438e9f8d 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html 4bfcc19ffac824ff79e39a6465e3d41a0566d352dd3b72c55133f77cddd4208f 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html 9611cc84fd3a52cbcd6b7c72d8972414b7d4c4db05fbd088ed78d0f7df60425b 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 24ee8f1d6b6fcd86347a72f478f32573866578b7fa47d24574d72f0689bfb139 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html 05303c94bcf7d0ec186f9fd0967cd9a4f485a6999196a6115e86f7ad0fab73b7 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html a8faad3458aa342a4192b923bd5a882f511e5789e8c46e0a1ba6b7d531937bd2 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 39dc83a90569b6dc890826e11561eb305cf8f2d6b3b70cda43a0bc4af07af119 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 8113dd47e05131859b6c7d11dbccd04b7853ca1bd35fdbca464caca108f35507 2
+/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html 0accbd60dea2099f113616d3913918fb591a3d3ed78aa5cccbbb8cf646674e21 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html 4b2d9b9636a8db0d33d1590f730aa7acb51438db3fc8b3c66ad0323513870169 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html ebbb1ba84de677737f43bb39cee419d59e0b07d546e3f39fe074d6ff22af4231 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html 5e2410decbac15da0c1a67370771e211807eb042cfe937d91fc85d703d7f3c85 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html 963c6beb79a2c563579a159e9cc7d0affc7c47750d844c7befb31d2430e725de 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html eb60cfd693a83a883849eec16ae432a30b7c9e811c1157d3995007ff1ceb85e7 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html fcd16356430b60c60f6068092ba06b71f03ed50cf4f9f00bf1804bcdbb481805 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html 8f8a3fc744f2de40bca8360842d39d8a45da392aef2003eed8ed051d6d311917 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html 8ee59e45824c7f777520e111e8d3ab6443e06a00c892e1ed6c2d7846213de813 2
@@ -244,13 +244,13 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html da0e64518e23b1b1f72277cf6aa5e7651b7b4ca67e557aaf5eb18ed536448ea5 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html 0fb8a8afff275cdf509abfef84c5367ee537f775fd640c83a0f86a97b99c1c44 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 0948c945559a37fbca779a74025c2c62bda01d9e4a3c139c42139e4096539589 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html a6d0b90377ada7d27edb6a426c1a386cf3944d21eb7611c85858f7c1b030134d 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 937a3f4816ba2dcf3d8c398f3e9d7cdf04365ef15219b4771f22c09db41a72d0 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html c193181bf39caf1bd5a7f59a7c5ed74eb7fc8dfa9d7f069211b745291d6c1ba7 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html 54167675bc5e28e1a5b06241ec8df5f118d3c1ec44b230fc00a7f7b276f3b543 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 12b83babcebd67f144809defacb50c7b4dc9c445a9e74bc632ab44ed7afe5047 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html 2821ad23d148657c6a49fd1bf329b50c7f32b4d3bc7f3013d90c04e71543a92c 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html 543946cd343db285448f90754626bc7c3b401769d136f287e60929a664ebfcd4 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html 5d41af2f1c453799fc95533f9c916687704fcae53b3e1461c25636e486f36870 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 7142d23065ac811ff35c3b1962fc3227e14bbc65d7378afc3bae81ce3cdd7c32 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html 8e91539b2166fd7a9579c1b1481ed652f728b151a7224b053287651f86ffe616 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html c2d67a98b5fa1fc1f0b119f9b87f33f528dc472900ccf269993dcd83238a71ca 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html 49578b22fdf9e0c641c3eba623164ace2a0d0e165650235888556940d8255508 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html 5c02806c205d9dfd32f114220f9a986ce813146b40960523f89b01ef955bf897 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html 9d120d07094d36ed6386ee23e56c84ea471490aac05b602ba92b96f48782e838 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html 7c4d7cf4709f924b844beea3ac9c494e09cbd26a359443d874619368259f5d40 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html b3928bcf5f91f95ef765c8ff54a7320c3518dcab4976de3e8221d43ad85d4f43 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html e771a8e117ce96bac4ef4ad2f97c86a5e25caa589ed7da93a7fbcd43685b30f9 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html 19df457bccc42bb86d136caf0edaf2eb92880584f7ab05ef614320614396d242 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html fe32d944e36228edf6f93c3c8fc3da6099dc12356b866a4c059586bebebce9db 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html ebbb7eb0b02115bebc280352af4bdd72b309890b8b8730a6371e65d3fddee5e0 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html a3634b8d1ecc17c52caadfaa42c347e71a897e18cf2b24a9750a974e0dc30aeb 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html 6d35f82ec45041d6d770162d03125eb5e539fdb57ac25157d18d6050e4e9a8d4 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html e72b1b5c296121e920523b540cfacd4268358e98d83a78f61a719be7a2a1bd9a 2
@@ -258,6 +258,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html 7686c2d7ed5d1f7b005e2f4045ca5d288feb1fc2f30e8beb35b919861a6ea8b7 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html 89a44d03d70f4ca58ca6c41c8e010aa65fed63e0bd045638cbeafb72bc49ae3b 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html 2cf5d6720ca421e918eb0d88d5fec1e7d1447a4162b02e65c8edc3a5c790f9dc 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html b687643c8521c7a18e000771f5a7fdc2c545820f4e568fb6155efab6ee655f6a 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html ee8476d21518c13dcb4efacde4987c82f704d62dc7b34966064a0e6ef76d93f5 2
-/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html cfa58e251c98a9fea220957eb6c745d213518e2473cbdc9573d0d3357fd13b46 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html 9a260a2f003a3503c924c28b3e05282c0f608ba70523af23c2a1f3b94f3a0b56 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html dde54559415f40a7054df0ef01b05deb34367967ed18048d04dc15f31d79b906 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html e0eb6be43b7551e4daa29e00925b66a92de58d9e53981e8d758c188dadda48a1 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html 4227d4661f42a79ff3e5e97216ac22b6db1f68f6eb8d974593c3bd1c1ef38286 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html 626e58aed88822ab02d0765d464b21dee725f5ce8dd0d11657766ac93c01323e 2
+/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html ad58ff237d8f3e0133e18c3a1148657601cb1a14e69c74b5799a49913888df23 2
@@ -339,3 +339,3 @@
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml e1945808456cb6754e58df16ccf12f44655e8b7db3c7c917d46e34e913a35771 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml eac1ac877fbe4bd19d18cf86a4eb4c55d1255d62c7d860368f6a894abd20768b 0
-/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml 6be56b54ebba09bd97e523d9cbef25e13048718eef16884542ae0fcdb8254f40 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml 2cfdad16ca84ad901082dd2b3715fc7a4082b64ba1f886099204c91709968d8d 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml 5cfacfefc0e7813b260c71e911c96187123dae7b49d1eb958518081d9627ed80 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml d98bb860ff1921436ead168fd5519d19865936feca46a61ea7097fd816e05b50 0
@@ -343 +343 @@
-/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 0a3a66198c8b16df82f37bf1ce1e8e5eeb95afb7e0807060dec0bab43fb99a8c 0
+/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml 9a004e0ae550f1048e73575cd74aabec0cd2284720d6bfee8531d8df4ebe4a7a 0
@@ -346,3 +346,3 @@
-/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 355cf5cc72419ddbe708bfe5631b3c819239e3f5db28addbad74062f0f5ee153 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 3e7f7a5726e16a580424677babe8507fef15171ec8458a418cf86b2e684312ff 0
-/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml a8d7ee3a3ccc9f62129cc73badd4a264e94302436ff145860030967447ff8f2a 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml 7037ad3ea606f4f7728b52d8be8f809241df54091b30b73d1eac2f78d803673e 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml 35eda84f170f31f2bde64433bb3f009764dc8e74c875d487ab66889da81147bd 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml 0b8b542034d6901938cffdc00df04fb5c0defae4c1b5d6f3556039d7194615ef 0
@@ -350 +350 @@
-/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml d40463ced9bb657cf25a553d674a9aff6980e23bd81885f366aa336fdbc0f5ef 0
+/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml d36f7b62dcd75987c8658f8b200ae204511be68d36f70433efcae04cdd6dc09b 0
@@ -353,3 +353,3 @@
-/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml 861939becf2f724f2967846b597ad847fe93b822f592f2749edd01118544c0a4 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 7ad6013f85beac924b5861c0d2eb9b608af861028febeede7c66a8d4a0179bd1 0
-/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml 272b041a901eedaace48809990f12e9c339560b6f2dde151d0b991bea977ddc8 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml d6897bdd157298dd012a5f6ce1d834a2dc65677fea8f4f063b0a744f2bd76ca1 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml 02413fe0bab0c029e474b5fb9b2f04dbf08c1e6d199ba00bcbba9a8b63274682 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml e0942ccbe4fb7d1cf58f2fc658df928f970d6c3e6d22ce249ee9af5051de518c 0
@@ -357 +357 @@
-/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml e1c9baca9458d2ffdc489763013f9be34fc188ec7c4f56505832e3c7c277229a 0
+/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml 0dba4748173e911765bd53115e964713a9f80a51addb569b4d6c3de5923476df 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-opensuse-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for openSUSE</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:15.0 is applicable to this Benchmark">cpe:/o:opensuse:leap:15.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:42.1 is applicable to this Benchmark">cpe:/o:opensuse:leap:42.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:42.2 is applicable to this Benchmark">cpe:/o:opensuse:leap:42.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:opensuse:leap:42.3 is applicable to this Benchmark">cpe:/o:opensuse:leap:42.3</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OPENSUSE"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OPENSUSE"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of openSUSE
                           <small>Group contains 4 groups and 3 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OPENSUSE"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 67 groups and 227 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,10 +152,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -415,7 +415,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -430,10 +434,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -946,7 +946,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91476-2">CCE-91476-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -958,10 +962,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
@@ -40322,7 +40322,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id305" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id305"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -40399,8 +40401,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id305" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id305"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id306" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -40440,7 +40440,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -40517,8 +40519,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id310" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -40548,7 +40548,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id312" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id312"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id312" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id312"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id313" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id313"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -40620,8 +40622,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id313" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id313"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id314" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -40826,7 +40826,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -40903,8 +40905,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id324" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -40937,7 +40937,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41009,8 +41011,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id328" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -41053,7 +41053,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41131,8 +41133,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 68 groups and 280 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,10 +152,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -860,7 +860,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -875,10 +879,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -1391,7 +1391,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91476-2">CCE-91476-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1403,10 +1407,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
@@ -40767,7 +40767,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -40844,8 +40846,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id318" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -40885,7 +40885,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id321" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id321"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -40962,8 +40964,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id321" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id321"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id322" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -40993,7 +40993,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41065,8 +41067,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id326" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -41271,7 +41271,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id334" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id334"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id334" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id334"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41348,8 +41350,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id336" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -41382,7 +41382,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41454,8 +41456,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id340" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -41498,7 +41498,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id343" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id343"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41576,8 +41578,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id343" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id343"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 54 groups and 155 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,10 +152,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -402,7 +402,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -417,10 +421,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -924,7 +924,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91476-2">CCE-91476-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -936,10 +940,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
@@ -6367,7 +6367,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6444,8 +6446,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id147" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -6475,7 +6475,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6547,8 +6549,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id151" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -6591,7 +6591,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6668,8 +6670,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id155" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -6702,7 +6702,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6774,8 +6776,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id159" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -6818,7 +6818,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -6896,8 +6898,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" id="guide-tree-leaf-id163" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument"><span class="label label-default">Rule</span>  
                                 Enforce Spectre v2 mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
@@ -6930,7 +6930,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><pre><code>[customizations.kernel]
+append = "spectre_v2=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7002,8 +7004,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><pre><code>[customizations.kernel]
-append = "spectre_v2=on"
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 26 groups and 42 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -246,7 +246,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91476-2">CCE-91476-2</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -258,10 +262,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 112 groups and 353 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -946,7 +946,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -961,10 +965,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -38700,7 +38700,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><pre><code>
+[[packages]]
+name = "audit-libs"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
   package:
     name: audit-libs
     state: present
@@ -38721,10 +38725,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-libs_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><pre><code>
-[[packages]]
-name = "audit-libs"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id383" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id383"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-libs
 
 class install_audit-libs {
@@ -38744,7 +38744,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -38767,10 +38771,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id388" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id388"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -38805,7 +38805,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -38885,9 +38888,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -38923,7 +38923,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39045,8 +39047,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" id="guide-tree-leaf-id398" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument"><span class="label label-default">Rule</span>  
                                 Extend Audit Backlog Limit for the Audit Daemon
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To improve the kernel capacity to queue all log events, even those which occurred
@@ -39074,7 +39074,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><pre><code>[customizations.kernel]
+append = "audit_backlog_limit=8192"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39156,8 +39158,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><pre><code>[customizations.kernel]
-append = "audit_backlog_limit=8192"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_apparmor"><span class="label label-default">Group</span>  
                 AppArmor
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_apparmor" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_apparmor">[ref]</a>  
@@ -39193,7 +39193,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -39214,10 +39218,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -39512,7 +39512,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 100 groups and 283 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -896,7 +896,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -911,10 +915,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -6989,7 +6989,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -7010,10 +7014,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -7210,7 +7210,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
+[customizations.services]
+enabled = ["apparmor"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>- name: Start apparmor.service
   systemd:
     name: apparmor.service
     state: started
@@ -7228,9 +7231,6 @@
   - NIST-800-53-SC-7(21)
   - apparmor_configured
   - medium_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>
-[customizations.services]
-enabled = ["apparmor"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_apparmor
 
 class enable_apparmor {
@@ -9066,7 +9066,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -9080,10 +9084,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id275" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id275"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -9110,7 +9110,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -9136,9 +9139,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9227,7 +9227,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service iptables
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[customizations.services]
+enabled = ["iptables"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service iptables
   block:
 
   - name: Gather the package facts
@@ -9256,9 +9259,6 @@
   - medium_severity
   - no_reboot_needed
   - service_iptables_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[customizations.services]
-enabled = ["iptables"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_iptables
 
 class enable_iptables {
@@ -9505,7 +9505,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91549-6">CCE-91549-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/suse_linux/">3.5.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id297" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id297"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id297" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id297"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id298" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id298"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -9520,10 +9524,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id298" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id298"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id299" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id299"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -14835,7 +14835,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 93 groups and 274 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -896,7 +896,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -911,10 +915,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -6989,7 +6989,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -7010,10 +7014,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -7210,7 +7210,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
+[customizations.services]
+enabled = ["apparmor"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>- name: Start apparmor.service
   systemd:
     name: apparmor.service
     state: started
@@ -7228,9 +7231,6 @@
   - NIST-800-53-SC-7(21)
   - apparmor_configured
   - medium_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>
-[customizations.services]
-enabled = ["apparmor"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_apparmor
 
 class enable_apparmor {
@@ -9066,7 +9066,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -9080,10 +9084,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id275" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id275"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -9110,7 +9110,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -9136,9 +9139,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9227,7 +9227,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service iptables
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[customizations.services]
+enabled = ["iptables"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service iptables
   block:
 
   - name: Gather the package facts
@@ -9256,9 +9259,6 @@
   - medium_severity
   - no_reboot_needed
   - service_iptables_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[customizations.services]
-enabled = ["iptables"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_iptables
 
 class enable_iptables {
@@ -9505,7 +9505,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91549-6">CCE-91549-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/suse_linux/">3.5.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id297" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id297"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id297" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id297"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id298" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id298"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -9520,10 +9524,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id298" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id298"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id299" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id299"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -17716,7 +17716,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 12 Benchmark Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 109 groups and 349 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -946,7 +946,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -961,10 +965,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -38700,7 +38700,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><pre><code>
+[[packages]]
+name = "audit-libs"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
   package:
     name: audit-libs
     state: present
@@ -38721,10 +38725,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-libs_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><pre><code>
-[[packages]]
-name = "audit-libs"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id383" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id383"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-libs
 
 class install_audit-libs {
@@ -38744,7 +38744,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -38767,10 +38771,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id388" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id388"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -38805,7 +38805,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -38885,9 +38888,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -38923,7 +38923,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39045,8 +39047,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" id="guide-tree-leaf-id398" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument"><span class="label label-default">Rule</span>  
                                 Extend Audit Backlog Limit for the Audit Daemon
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To improve the kernel capacity to queue all log events, even those which occurred
@@ -39074,7 +39074,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><pre><code>[customizations.kernel]
+append = "audit_backlog_limit=8192"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39156,8 +39158,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><pre><code>[customizations.kernel]
-append = "audit_backlog_limit=8192"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_apparmor"><span class="label label-default">Group</span>  
                 AppArmor
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_apparmor" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_apparmor">[ref]</a>  
@@ -39193,7 +39193,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -39214,10 +39218,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -39512,7 +39512,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss-4.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v4 Control Baseline for SUSE Linux enterprise 12</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss-4</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 88 groups and 213 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -475,7 +475,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -493,10 +497,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -5943,7 +5943,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -5982,9 +5985,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -49133,7 +49133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -49150,10 +49154,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -49188,7 +49188,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -49268,9 +49271,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -49306,7 +49306,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id333" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id333"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id333" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id333"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id334" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id334"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -49428,8 +49430,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id334" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id334"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -50770,7 +50770,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91662-7">CCE-91662-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id354" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id354"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "libreswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id355" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id355"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id355" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id355"><pre><code>
+[[packages]]
+name = "libreswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id356" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id356"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
   package:
     name: libreswan
     state: present
@@ -50785,10 +50789,6 @@
   - medium_severity
   - no_reboot_needed
   - package_libreswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id356" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id356"><pre><code>
-[[packages]]
-name = "libreswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id357" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id357"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libreswan
 
 class install_libreswan {
@@ -50808,7 +50808,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91625-4">CCE-91625-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id359" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id359"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "strongswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id360"><pre><code>
+[[packages]]
+name = "strongswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id361" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id361"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
   package:
     name: strongswan
     state: present
@@ -50823,10 +50827,6 @@
   - medium_severity
   - no_reboot_needed
   - package_strongswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id361" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id361"><pre><code>
-[[packages]]
-name = "strongswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id362" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id362"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_strongswan
 
 class install_strongswan {
@@ -50864,7 +50864,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91549-6">CCE-91549-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/suse_linux/">3.5.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id364" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id364"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id365" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id365"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id365" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id365"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id366" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id366"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -50879,10 +50883,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id366" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id366"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id367" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id367"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -50929,7 +50929,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id370" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id370"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 12</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 61 groups and 154 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -475,7 +475,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -493,10 +497,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -5943,7 +5943,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -5982,9 +5985,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -49117,7 +49117,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id321" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id321"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -49134,10 +49138,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id321" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id321"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -49172,7 +49172,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -49252,9 +49255,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -49290,7 +49290,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -49412,8 +49414,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -50754,7 +50754,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91662-7">CCE-91662-7</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id351" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id351"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "libreswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id352"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id352"><pre><code>
+[[packages]]
+name = "libreswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id353" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id353"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
   package:
     name: libreswan
     state: present
@@ -50769,10 +50773,6 @@
   - medium_severity
   - no_reboot_needed
   - package_libreswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id353" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id353"><pre><code>
-[[packages]]
-name = "libreswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id354" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id354"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libreswan
 
 class install_libreswan {
@@ -50792,7 +50792,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91625-4">CCE-91625-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id356" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id356"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "strongswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id357" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id357"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id357" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id357"><pre><code>
+[[packages]]
+name = "strongswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id358" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id358"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
   package:
     name: strongswan
     state: present
@@ -50807,10 +50811,6 @@
   - medium_severity
   - no_reboot_needed
   - package_strongswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id358" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id358"><pre><code>
-[[packages]]
-name = "strongswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id359" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id359"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_strongswan
 
 class install_strongswan {
@@ -50848,7 +50848,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91549-6">CCE-91549-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/suse_linux/">3.5.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id361" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id361"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id362" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id362"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id362" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id362"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id363" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id363"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -50863,10 +50867,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id363" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id363"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id364" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id364"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -50913,7 +50913,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id367" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id367"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for SUSE Linux Enterprise 12</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 4 groups and 3 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle12-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for SUSE Linux Enterprise 12</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:12</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:12 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:12</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-12"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 12
                           <small>Group contains 83 groups and 241 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-12"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -119,7 +119,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -137,10 +141,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -7671,7 +7671,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure kbd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><pre><code>
+[[packages]]
+name = "kbd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure kbd is installed
   package:
     name: kbd
     state: present
@@ -7688,10 +7692,6 @@
   - medium_severity
   - no_reboot_needed
   - vlock_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><pre><code>
-[[packages]]
-name = "kbd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_kbd
 
 class install_kbd {
@@ -52270,7 +52270,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id439" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id439"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id439" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id439"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id440" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id440"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -52287,10 +52291,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id440" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id440"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id441" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id441"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -52310,7 +52310,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id444" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id444"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id444" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id444"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id445" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id445"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -52333,10 +52337,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id445" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id445"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id446" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id446"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -52371,7 +52371,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id449" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id449"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id449" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id449"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id450" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id450"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -52451,9 +52454,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id450" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id450"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id451" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id451"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -52497,7 +52497,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id454" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id454"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id454" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id454"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id455" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id455"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -52518,10 +52522,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id455" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id455"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id456" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id456"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -52573,7 +52573,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id459" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id459"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id459" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id459"><pre><code>
+[customizations.services]
+enabled = ["apparmor"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id460" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id460"><pre><code>- name: Start apparmor.service
   systemd:
     name: apparmor.service
     state: started
@@ -52591,9 +52594,6 @@
   - NIST-800-53-SC-7(21)
   - apparmor_configured
   - medium_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id460" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id460"><pre><code>
-[customizations.services]
-enabled = ["apparmor"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id461" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id461"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_apparmor
 
 class enable_apparmor {
@@ -55513,7 +55513,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-83157-8">CCE-83157-8</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://public.cyber.mil/stigs/cci/">CCI-000382</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002080</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002314</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000420-GPOS-00186</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cunix-linux">SLES-12-030030</a>, <a href="https://public.cyber.mil/stigs/srg-stig-tools/">SV-217261r603262_rule</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id516" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id516"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "SuSEfirewall2"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id517" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id517"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure SuSEfirewall2 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id517" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id517"><pre><code>
+[[packages]]
+name = "SuSEfirewall2"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id518" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id518"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure SuSEfirewall2 is installed
   package:
     name: SuSEfirewall2
     state: present
@@ -55529,10 +55533,6 @@
   - medium_severity
   - no_reboot_needed
   - package_SuSEfirewall2_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id518" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id518"><pre><code>
-[[packages]]
-name = "SuSEfirewall2"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id519" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id519"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_SuSEfirewall2
 
 class install_SuSEfirewall2 {
@@ -55561,7 +55561,10 @@
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 67 groups and 228 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,10 +152,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -415,7 +415,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -430,10 +434,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -946,7 +946,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91163-6">CCE-91163-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -958,10 +962,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
@@ -41481,7 +41481,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id310" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id310"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id310" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id310"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id311" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id311"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41558,8 +41560,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id311" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id311"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id312" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -41599,7 +41599,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id314" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id314"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id314" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id314"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id315" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id315"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41676,8 +41678,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id315" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id315"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id316" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -41707,7 +41707,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id319" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id319"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41779,8 +41781,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id319" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id319"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id320" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -41985,7 +41985,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42062,8 +42064,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id330" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -42096,7 +42096,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id332" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id332"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id332" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id332"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id333" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id333"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42168,8 +42170,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id333" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id333"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id334" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -42212,7 +42212,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id337" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id337"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42290,8 +42292,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id337" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id337"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 68 groups and 281 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,10 +152,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -850,7 +850,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -865,10 +869,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -1381,7 +1381,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91163-6">CCE-91163-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1393,10 +1397,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
@@ -41916,7 +41916,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -41993,8 +41995,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id324" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -42034,7 +42034,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42111,8 +42113,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id328" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -42142,7 +42142,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42214,8 +42216,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id332" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -42420,7 +42420,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42497,8 +42499,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id342" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -42531,7 +42531,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id344"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id345" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id345"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42603,8 +42605,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id345" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id345"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id346" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -42647,7 +42647,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id348" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id348"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id348" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id348"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id349" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id349"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42725,8 +42727,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id349" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id349"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 54 groups and 156 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,10 +152,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -402,7 +402,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -417,10 +421,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -924,7 +924,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91163-6">CCE-91163-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -936,10 +940,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
@@ -7140,7 +7140,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7217,8 +7219,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id153" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -7248,7 +7248,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7320,8 +7322,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id157" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -7364,7 +7364,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7441,8 +7443,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id161" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -7475,7 +7475,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7547,8 +7549,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id165" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -7591,7 +7591,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7669,8 +7671,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" id="guide-tree-leaf-id169" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument"><span class="label label-default">Rule</span>  
                                 Enforce Spectre v2 mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
@@ -7703,7 +7703,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><pre><code>[customizations.kernel]
+append = "spectre_v2=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -7775,8 +7777,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><pre><code>[customizations.kernel]
-append = "spectre_v2=on"
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 26 groups and 43 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -246,7 +246,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91163-6">CCE-91163-6</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R8)</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "dnf-automatic"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -258,10 +262,6 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 115 groups and 368 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -774,7 +774,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -789,10 +793,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -38770,7 +38770,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><pre><code>
+[[packages]]
+name = "audit-libs"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
   package:
     name: audit-libs
     state: present
@@ -38791,10 +38795,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-libs_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><pre><code>
-[[packages]]
-name = "audit-libs"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id383" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id383"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-libs
 
 class install_audit-libs {
@@ -38814,7 +38814,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -38837,10 +38841,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id388" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id388"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -38875,7 +38875,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -38945,9 +38948,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -38983,7 +38983,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39105,8 +39107,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" id="guide-tree-leaf-id398" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument"><span class="label label-default">Rule</span>  
                                 Extend Audit Backlog Limit for the Audit Daemon
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To improve the kernel capacity to queue all log events, even those which occurred
@@ -39134,7 +39134,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><pre><code>[customizations.kernel]
+append = "audit_backlog_limit=8192"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39216,8 +39218,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><pre><code>[customizations.kernel]
-append = "audit_backlog_limit=8192"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_apparmor"><span class="label label-default">Group</span>  
                 AppArmor
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_apparmor" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_apparmor">[ref]</a>  
@@ -39253,7 +39253,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -39274,10 +39278,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -39572,7 +39572,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 103 groups and 297 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -724,7 +724,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -739,10 +743,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -6735,7 +6735,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -6756,10 +6760,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -6956,7 +6956,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
+[customizations.services]
+enabled = ["apparmor"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>- name: Start apparmor.service
   systemd:
     name: apparmor.service
     state: started
@@ -6974,9 +6977,6 @@
   - NIST-800-53-SC-7(21)
   - apparmor_configured
   - medium_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>
-[customizations.services]
-enabled = ["apparmor"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_apparmor
 
 class enable_apparmor {
@@ -8812,7 +8812,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -8826,10 +8830,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id275" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id275"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -8856,7 +8856,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -8882,9 +8885,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9012,7 +9012,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -9030,10 +9034,6 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
@@ -9060,7 +9060,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -9091,9 +9094,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id290" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id290"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
@@ -9231,7 +9231,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 96 groups and 288 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -724,7 +724,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -739,10 +743,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -6735,7 +6735,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -6756,10 +6760,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -6956,7 +6956,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
+[customizations.services]
+enabled = ["apparmor"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>- name: Start apparmor.service
   systemd:
     name: apparmor.service
     state: started
@@ -6974,9 +6977,6 @@
   - NIST-800-53-SC-7(21)
   - apparmor_configured
   - medium_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>
-[customizations.services]
-enabled = ["apparmor"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_apparmor
 
 class enable_apparmor {
@@ -8812,7 +8812,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -8826,10 +8830,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id275" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id275"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -8856,7 +8856,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -8882,9 +8885,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9012,7 +9012,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -9030,10 +9034,6 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
@@ -9060,7 +9060,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -9091,9 +9094,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id290" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id290"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
@@ -9231,7 +9231,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS SUSE Linux Enterprise 15 Benchmark Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 112 groups and 364 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,10 +145,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -774,7 +774,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -789,10 +793,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -38770,7 +38770,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><pre><code>
+[[packages]]
+name = "audit-libs"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-libs is installed
   package:
     name: audit-libs
     state: present
@@ -38791,10 +38795,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-libs_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><pre><code>
-[[packages]]
-name = "audit-libs"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id383" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id383"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-libs
 
 class install_audit-libs {
@@ -38814,7 +38814,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id386" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id386"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -38837,10 +38841,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id387" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id387"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id388" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id388"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -38875,7 +38875,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -38945,9 +38948,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -38983,7 +38983,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39105,8 +39107,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument" id="guide-tree-leaf-id398" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument"><span class="label label-default">Rule</span>  
                                 Extend Audit Backlog Limit for the Audit Daemon
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_audit_backlog_limit_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To improve the kernel capacity to queue all log events, even those which occurred
@@ -39134,7 +39134,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id400" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id400"><pre><code>[customizations.kernel]
+append = "audit_backlog_limit=8192"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -39216,8 +39218,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><pre><code>[customizations.kernel]
-append = "audit_backlog_limit=8192"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_apparmor"><span class="label label-default">Group</span>  
                 AppArmor
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_apparmor" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_apparmor" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_apparmor">[ref]</a>  
@@ -39253,7 +39253,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -39274,10 +39278,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -39572,7 +39572,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id415" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id415"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -73,7 +73,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 54 groups and 136 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1487,7 +1487,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1553,9 +1556,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -45603,7 +45603,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -45673,9 +45676,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -45711,7 +45711,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -45833,8 +45835,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 2 groups and 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -46394,7 +46394,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id307" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id307"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id307" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id307"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -46472,9 +46475,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -47868,7 +47868,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id346" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id346"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id346" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id346"><pre><code>
+[customizations.services]
+disabled = ["kdump"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id347" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id347"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
   block:
 
   - name: Disable service kdump
@@ -47940,9 +47943,6 @@
   - medium_severity
   - no_reboot_needed
   - service_kdump_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id347" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id347"><pre><code>
-[customizations.services]
-disabled = ["kdump"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id348" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id348"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
 
 class disable_kdump {
@@ -47979,7 +47979,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id351" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id351"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id351" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id351"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id352"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -48005,9 +48008,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id352"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id353" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id353"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -48191,7 +48191,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id363" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id363"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id363" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id363"><pre><code>
+[customizations.services]
+disabled = ["xinetd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id364" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id364"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service xinetd
   block:
 
   - name: Disable service xinetd
@@ -48263,9 +48266,6 @@
   - medium_severity
   - no_reboot_needed
   - service_xinetd_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id364" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id364"><pre><code>
-[customizations.services]
-disabled = ["xinetd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id365" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id365"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_xinetd
 
 class disable_xinetd {
@@ -48353,7 +48353,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id372" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id372"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rexec
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id372" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id372"><pre><code>
+[customizations.services]
+disabled = ["rexec"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id373" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id373"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rexec
   block:
 
   - name: Disable service rexec
@@ -48431,9 +48434,6 @@
   - low_disruption
   - no_reboot_needed
   - service_rexec_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id373" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id373"><pre><code>
-[customizations.services]
-disabled = ["rexec"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id374" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id374"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_rexec
 
 class disable_rexec {
@@ -48475,7 +48475,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id377" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id377"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rlogin
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id377" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id377"><pre><code>
+[customizations.services]
+disabled = ["rlogin"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id378" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id378"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rlogin
   block:
 
   - name: Disable service rlogin
@@ -48553,9 +48556,6 @@
   - low_disruption
   - no_reboot_needed
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss-4.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v4 Control Baseline for SUSE Linux enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss-4</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 103 groups and 259 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -475,7 +475,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -493,10 +497,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -1995,7 +1995,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2010,10 +2014,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -7281,7 +7281,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7320,9 +7323,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -51864,7 +51864,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -51880,10 +51884,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -51903,7 +51903,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id396" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id396"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -51926,10 +51930,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id397" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id397"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id398" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id398"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -51964,7 +51964,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id401" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id401"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id402" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id402"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -52034,9 +52037,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id402" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id402"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id403" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id403"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -52072,7 +52072,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id407" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id407"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -52194,8 +52196,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id407" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id407"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -53599,7 +53599,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-85799-5">CCE-85799-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id429" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id429"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "libreswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id430" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id430"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id430" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id430"><pre><code>
+[[packages]]
+name = "libreswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id431" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id431"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
   package:
     name: libreswan
     state: present
@@ -53614,10 +53618,6 @@
   - medium_severity
   - no_reboot_needed
   - package_libreswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id431" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id431"><pre><code>
-[[packages]]
-name = "libreswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id432" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id432"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libreswan
 
 class install_libreswan {
@@ -53637,7 +53637,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-85836-5">CCE-85836-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id434" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id434"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "strongswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id435" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id435"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for SUSE Linux enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 63 groups and 157 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -475,7 +475,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -493,10 +497,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -5875,7 +5875,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -5914,9 +5917,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -49451,7 +49451,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -49467,10 +49471,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -49505,7 +49505,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -49575,9 +49578,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -49613,7 +49613,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id334" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id334"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id334" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id334"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -49735,8 +49737,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -51140,7 +51140,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-85799-5">CCE-85799-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id357" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id357"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "libreswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id358" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id358"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id358" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id358"><pre><code>
+[[packages]]
+name = "libreswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id359" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id359"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
   package:
     name: libreswan
     state: present
@@ -51155,10 +51159,6 @@
   - medium_severity
   - no_reboot_needed
   - package_libreswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id359" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id359"><pre><code>
-[[packages]]
-name = "libreswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id360" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id360"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libreswan
 
 class install_libreswan {
@@ -51178,7 +51178,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-85836-5">CCE-85836-5</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001131</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.15.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">4.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id362" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id362"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "strongswan"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id363" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id363"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id363" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id363"><pre><code>
+[[packages]]
+name = "strongswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id364" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id364"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure strongswan is installed
   package:
     name: strongswan
     state: present
@@ -51193,10 +51197,6 @@
   - medium_severity
   - no_reboot_needed
   - package_strongswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id364" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id364"><pre><code>
-[[packages]]
-name = "strongswan"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id365" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id365"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_strongswan
 
 class install_strongswan {
@@ -51234,7 +51234,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91244-4">CCE-91244-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/suse_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id367" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id367"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id368" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id368"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id368" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id368"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id369" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id369"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -51249,10 +51253,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id369" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id369"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id370" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id370"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -51299,7 +51299,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id373" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id373"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening-sap.html	2023-07-27 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Hardening for Public Cloud Image of SUSE Linux Enterprise Server (SLES) for SAP Applications 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pcs-hardening-sap</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 52 groups and 167 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -121,7 +121,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -139,10 +143,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -61980,7 +61980,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id404" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id404"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -61996,10 +62000,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id405" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id405"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id406" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id406"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -62019,7 +62019,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id409" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id409"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id409" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id409"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id410" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id410"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -62042,10 +62046,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id410" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id410"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id411" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id411"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -62353,7 +62353,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id423" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id423"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id423" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id423"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -62367,10 +62371,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id424"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id425" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id425"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -62423,7 +62423,11 @@
             <abbr title="https://ncp.nist.gov/cce: CCE-91244-4">CCE-91244-4</abbr></p><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/suse_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id427" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id427"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 zypper install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id428" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id428"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id428" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id428"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id429" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id429"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -62438,10 +62442,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id429" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id429"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id430" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id430"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -63420,7 +63420,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id478" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id478"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure chrony is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id478" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id478"><pre><code>
+[[packages]]
+name = "chrony"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id479" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id479"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure chrony is installed
   package:
     name: chrony
     state: present
@@ -63435,10 +63439,6 @@
   - medium_severity
   - no_reboot_needed
   - package_chrony_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id479" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id479"><pre><code>
-[[packages]]
-name = "chrony"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id480" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id480"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_chrony
 
 class install_chrony {
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-pcs-hardening.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Public Cloud Hardening for SUSE Linux Enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pcs-hardening</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 54 groups and 165 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -62479,7 +62479,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id411" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id411"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id411" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id411"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id412" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id412"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -62510,9 +62513,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id412" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id412"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id413" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id413"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for SUSE Linux Enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 45 groups and 111 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -24317,7 +24317,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -24340,10 +24344,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -24378,7 +24378,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -24448,9 +24451,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -25602,7 +25602,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -25616,10 +25620,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -25646,7 +25646,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -25672,9 +25675,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -25802,7 +25802,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -25820,10 +25824,6 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
@@ -30119,7 +30119,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id282" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id282"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -30132,10 +30136,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id282" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id282"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -30164,7 +30164,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id286" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id286"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id286" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id286"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id287" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id287"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -30190,9 +30193,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id287" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id287"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -30446,7 +30446,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id315" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id315"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service httpd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id315" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id315"><pre><code>
+[customizations.services]
+disabled = ["httpd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service httpd
   block:
 
   - name: Disable service httpd
@@ -30515,9 +30518,6 @@
   - no_reboot_needed
   - service_httpd_disabled
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><pre><code>
-[customizations.services]
-disabled = ["httpd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_httpd
 
 class disable_httpd {
@@ -30599,7 +30599,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
/usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sle15-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for SUSE Linux Enterprise 15</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_desktop:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_desktop:15</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:suse:linux_enterprise_server:15 is applicable to this Benchmark">cpe:/o:suse:linux_enterprise_server:15</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_SLE-15"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of SUSE Linux Enterprise 15
                           <small>Group contains 83 groups and 239 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_SLE-15"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -119,7 +119,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -137,10 +141,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -8258,7 +8258,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure kbd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>
+[[packages]]
+name = "kbd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure kbd is installed
   package:
     name: kbd
     state: present
@@ -8272,10 +8276,6 @@
   - medium_severity
   - no_reboot_needed
   - vlock_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>
-[[packages]]
-name = "kbd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_kbd
 
 class install_kbd {
@@ -56810,7 +56810,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id462" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id462"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id462" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id462"><pre><code>
+[[packages]]
+name = "audit-audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id463" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id463"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit-audispd-plugins is installed
   package:
     name: audit-audispd-plugins
     state: present
@@ -56826,10 +56830,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id463" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id463"><pre><code>
-[[packages]]
-name = "audit-audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id464" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id464"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit-audispd-plugins
 
 class install_audit-audispd-plugins {
@@ -56849,7 +56849,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id467" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id467"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id467" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id467"><pre><code>
+[[packages]]
+name = "audit"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id468" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id468"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audit is installed
   package:
     name: audit
     state: present
@@ -56872,10 +56876,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id468" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id468"><pre><code>
-[[packages]]
-name = "audit"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id469" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id469"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audit
 
 class install_audit {
@@ -56910,7 +56910,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id472"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id472"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id473" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id473"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -56980,9 +56983,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id473" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id473"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id474" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id474"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -57026,7 +57026,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id477" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id477"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id477" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id477"><pre><code>
+[[packages]]
+name = "pam_apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id478" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id478"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_apparmor is installed
   package:
     name: pam_apparmor
     state: present
@@ -57047,10 +57051,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id478" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id478"><pre><code>
-[[packages]]
-name = "pam_apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id479" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id479"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_apparmor
 
 class install_pam_apparmor {
@@ -57102,7 +57102,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id482" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id482"><pre><code>- name: Start apparmor.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id482" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id482"><pre><code>
+[customizations.services]
+enabled = ["apparmor"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id483" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id483"><pre><code>- name: Start apparmor.service
   systemd:
     name: apparmor.service
     state: started
@@ -57120,9 +57123,6 @@
   - NIST-800-53-SC-7(21)
   - apparmor_configured
   - medium_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id483" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id483"><pre><code>
-[customizations.services]
-enabled = ["apparmor"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id484" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id484"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_apparmor
 
 class enable_apparmor {
@@ -57518,7 +57518,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id495" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id495"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id495" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id495"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id496"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -57536,10 +57540,6 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id496"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id497" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id497"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
@@ -57566,7 +57566,10 @@
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -45,7 +45,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-opensuse-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OPENSUSE" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of openSUSE</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for openSUSE. It is a rendering of
@@ -88,10 +88,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -102,44 +106,41 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -147,19 +148,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -167,24 +163,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -192,15 +193,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -2474,6 +2474,11 @@
 other required structures.
 This package contains command line TLS client and server and certificate
 manipulation tools.</xccdf-1.2:rationale>
+              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
@@ -2486,11 +2491,6 @@
   - no_reboot_needed
   - package_gnutls-utils_installed
 </xccdf-1.2:fix>
-              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_gnutls-utils
 
 class install_gnutls-utils {
@@ -2518,6 +2518,11 @@
 server applications. Install the <html:code>nss-tools</html:code> package
 to install command-line tools to manipulate the NSS certificate
 and key database.</xccdf-1.2:rationale>
/usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -45,7 +45,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-opensuse-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OPENSUSE" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of openSUSE</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for openSUSE. It is a rendering of
@@ -88,10 +88,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -102,44 +106,41 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -147,19 +148,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -167,24 +163,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -192,15 +193,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -2474,6 +2474,11 @@
 other required structures.
 This package contains command line TLS client and server and certificate
 manipulation tools.</xccdf-1.2:rationale>
+              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
@@ -2486,11 +2491,6 @@
   - no_reboot_needed
   - package_gnutls-utils_installed
 </xccdf-1.2:fix>
-              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_gnutls-utils
 
 class install_gnutls-utils {
@@ -2518,6 +2518,11 @@
 server applications. Install the <html:code>nss-tools</html:code> package
 to install command-line tools to manipulate the NSS certificate
 and key database.</xccdf-1.2:rationale>
/usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,808 +7,808 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog is Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1">
-      <ocil:title>Enable Public Key Authentication</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+      <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1">
-      <ocil:title>Configure ARP filtering for All IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1">
+      <ocil:title>Configure Backups of User Data</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_user_data_backups_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify ufw Enabled</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_ufw_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1">
-      <ocil:title>Enable use of Berkeley Packet Filter with seccomp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
+      <ocil:title>Disable Kerberos Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1">
-      <ocil:title>Configure auditd admin_space_left Action on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+      <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1">
-      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - unlinkat</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
+      <ocil:title>Set SSH Client Alive Interval</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1">
+      <ocil:title>Direct root Logins Not Allowed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_direct_root_logins_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1">
-      <ocil:title>Randomize the kernel memory sections</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1">
+      <ocil:title>Configure Polyinstantiation of /tmp Directories</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_memory_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable IPv6 Networking Support Automatic Loading</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1">
+      <ocil:title>Ensure the Default Umask is Set Correctly in login.defs</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-opensuse-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_OPENSUSE" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of openSUSE</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for openSUSE. It is a rendering of
@@ -43,10 +43,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -57,44 +61,41 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -102,19 +103,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -122,24 +118,29 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="aarch64_arch">
+    <cpe-lang:platform id="machine">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="s390x_arch">
+    <cpe-lang:platform id="uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_audit">
@@ -147,15 +148,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="uefi">
+    <cpe-lang:platform id="package_shadow-utils">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_package_ufw">
+    <cpe-lang:platform id="s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-opensuse-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
   </cpe-lang:platform-specification>
@@ -2429,6 +2429,11 @@
 other required structures.
 This package contains command line TLS client and server and certificate
 manipulation tools.</xccdf-1.2:rationale>
+          <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</xccdf-1.2:fix>
           <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
@@ -2441,11 +2446,6 @@
   - no_reboot_needed
   - package_gnutls-utils_installed
 </xccdf-1.2:fix>
-          <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</xccdf-1.2:fix>
           <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_gnutls-utils
 
 class install_gnutls-utils {
@@ -2473,6 +2473,11 @@
 server applications. Install the <html:code>nss-tools</html:code> package
 to install command-line tools to manipulate the NSS certificate
 and key database.</xccdf-1.2:rationale>
+          <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_nss-tools_installed">
/usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -37,7 +37,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-sle12-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_SLE-12" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of SUSE Linux Enterprise 12</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -80,23 +80,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_zypper">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -104,50 +110,50 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -156,65 +162,45 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_zypper">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="package_sudo">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
/usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -39,7 +39,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-sle12-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_SLE-12" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of SUSE Linux Enterprise 12</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -82,23 +82,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_zypper">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -106,50 +112,50 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -158,65 +164,45 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_zypper">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="package_sudo">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
/usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,778 +7,779 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable Samba</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_password_hashing_min_rounds_logindefs_ocil:questionnaire:1">
-      <ocil:title>Set Password Hashing Rounds in /etc/login.defs</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
-      <ocil:title>Configure server restrictions for ntpd</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_passmass_ocil:questionnaire:1">
+      <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - passmass</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_passmass_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-is_fips_mode_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify '/proc/sys/crypto/fips_enabled' exists</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-is_fips_mode_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-gui_login_dod_acknowledgement_ocil:questionnaire:1">
+      <ocil:title>Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-smartcard_configure_ca_ocil:questionnaire:1">
-      <ocil:title>Configure Smart Card Certificate Authority Validation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-cracklib_accounts_password_pam_minlen_ocil:questionnaire:1">
+      <ocil:title>Set Password Minimum Length</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-smartcard_configure_ca_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-cracklib_accounts_password_pam_minlen_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
-      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
-      <ocil:title>Verify permissions of log files</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle12-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_SLE-12" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of SUSE Linux Enterprise 12</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 12. It is a rendering of
@@ -43,23 +43,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_zypper">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_postfix">
@@ -67,50 +73,50 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_not_osbuild">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_rhcos4-rhel9">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -119,65 +125,45 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_sudo">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="grub2">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+    <cpe-lang:platform id="not_rhcos4-rhel9">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_zypper">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="wifi-iface">
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
+    <cpe-lang:platform id="package_sudo">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle12-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
/usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -37,7 +37,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-sle15-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_SLE-15" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of SUSE Linux Enterprise 15</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -80,23 +80,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_zypper">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -104,50 +110,50 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -156,70 +162,50 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
         <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_zypper">
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
/usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -39,7 +39,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-sle15-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_SLE-15" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of SUSE Linux Enterprise 15</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -82,23 +82,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_zypper">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -106,50 +112,50 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -158,70 +164,50 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
         <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_zypper">
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
/usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,232 +7,250 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable Samba</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_password_hashing_min_rounds_logindefs_ocil:questionnaire:1">
-      <ocil:title>Set Password Hashing Rounds in /etc/login.defs</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_passmass_ocil:questionnaire:1">
+      <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - passmass</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_passmass_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-is_fips_mode_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify '/proc/sys/crypto/fips_enabled' exists</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-is_fips_mode_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_session_events_btmp_ocil:questionnaire:1">
-      <ocil:title>Record Attempts to Alter Process and Session Initiation Information btmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_session_events_btmp_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Samba Common Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-gui_login_dod_acknowledgement_ocil:questionnaire:1">
+      <ocil:title>Display the Standard Mandatory DoD Notice and Consent Banner until Explicit Acknowledgement</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-gui_login_dod_acknowledgement_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable tftp Service</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_tftp_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-smartcard_configure_ca_ocil:questionnaire:1">
-      <ocil:title>Configure Smart Card Certificate Authority Validation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-cracklib_accounts_password_pam_minlen_ocil:questionnaire:1">
+      <ocil:title>Set Password Minimum Length</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-smartcard_configure_ca_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-cracklib_accounts_password_pam_minlen_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
-      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
-      <ocil:title>Verify permissions of log files</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_nftables_loopback_traffic_ocil:questionnaire:1">
-      <ocil:title>Set nftables Configuration for Loopback Traffic</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sle15-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_SLE-15" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of SUSE Linux Enterprise 15</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for SUSE Linux Enterprise 15. It is a rendering of
@@ -43,23 +43,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_zypper">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_postfix">
@@ -67,50 +73,50 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_not_osbuild">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_rhcos4-rhel9">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -119,70 +125,50 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_sudo">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
     <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="grub2">
+    <cpe-lang:platform id="not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_zypper">
+    <cpe-lang:platform id="not_rhcos4-rhel9">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_zypper:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="wifi-iface">
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-sle15-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
RPMS.2017/scap-security-guide-debian-0.1.68-0.0.noarch.rpm RPMS/scap-security-guide-debian-0.1.68-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-debian-0.1.68-0.0.noarch.rpm to scap-security-guide-debian-0.1.68-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-debian
--- old-rpm-tags
+++ new-rpm-tags
@@ -144,4 +144,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html 0de75eb435ce4cae620d256249f173837dd171d17febfd8baa547eabf74a116c 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html e987be3ecc9fdec4cb32dcd5a87c00ea7479705a87f7776c87cc3d92a184e2e2 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html 3f19851d6a462cd2f18571e8932de2453907240fee08cdc1f5f839435a6d15ca 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 9900bba3db702a7598bee80e21a6f175a3c87b2d9444751cde694d25153bc106 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html a2254c17d0399874030c219c94be163dfdf5f0d0b0e2972f5beed1b8bfcb8149 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html 53521aaa6f0746ad357071c6974f9d794180222b0cf131ed5e0c9469eed69b30 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html abe9a06294589761cf775fdf99f483266a365b35705bc385cdf69d056862ed9b 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html 10be68fc165a8674ec9d06edd92dd220518a3b3a26f66df1aa36fe26634d6711 2
@@ -149,5 +149,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 381fa758177ce103d79f4fd2ed1a8f26caadfaa869a28eb98bcc4c1f8c702d0e 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 05ee17ec783bf7090bcec450359c7407783defcd6b57ed09031aa7745dd9eba5 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html 7b0db9eeccbc93539ad9fcf86d4413e8063e659b210f26f1b26744f72376a38f 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html b99b832cb2b35db5278de1c4ef20687f63270a029a3a1c23549cd4e66923ac34 2
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html b333128ba44796532ded6f4259204209b2d05e786aee66dfa063e9a15b4c9627 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html 05036c118965a1ecad9f1ec46300f2f35f803ef5a63aea332658afa15dfd3d02 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html 8b88f148cc4780ce02d81737dd42f97db166a233a5e52657c12e61250c809558 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html e10e6af33203be0cd38c6bd2eb978f0e0098fa924f832788ae618ecc87343dd3 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html 1943e00bde40b17b6a8348a44461604778cc71177cd8ac4ce83724b87d1dbb6b 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html 437ae8b3914892203d3d0adfec8a097ff027d4de2f6cdc6da6428141031cafe8 2
@@ -155 +155 @@
-/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html b2a1d5c8fcca3f66c84dc07c76160d5956591a4f076bceacbebd2fc25627b062 2
+/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html 6cdb84e7d814164bc9d05e9b15370aa1c0e73bd57bbb3019b2ad5a4b0405cbd3 2
@@ -188,3 +188,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml 062d41346bb18c042cdb4dc64386e296987d8e2756803290862d917da7b17293 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml b1e936337c17caa8c5cb3b5777184d549cdf04f6473ae1cf1c6206f3fbc9652a 0
-/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml ae625e8c582d72b027a690d2a07a533ef0b46f6d7f697e14143838bc821aff19 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml fc19c5628354fd136a46913b3283a05ece7a04495aed1871e63bdd98a3118267 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml db1ec7345cbacf06dfd495632d0da97a26953eb202ff5882e19eac19b2596916 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml a8d519e9ec2c0af7d9a3c59eeae6215bd502eff769bd32e728fbb9703248eb8d 0
@@ -192 +192 @@
-/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml d661b5d1549ac441fb0251c91873b587f6f97b9c125fd2447d446631735e3bc0 0
+/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml 4aaf25c83889ebc53bfe8457052e583342e3c9a212250ae84d517300022339a8 0
@@ -195,3 +195,3 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml 17969cd6a8e9d1b0f39208356d7feb37ead59643a9ef8ce6d004dfa1f0e2acc8 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml 7deedabb209a374806af491803734e5f519a7f9af1c3435161103f01990601b5 0
-/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml e1747d64dc34b19b95bdd1b5906fce2dc2567beb6573d08a6a02e877de778e87 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml c7a5d5d8b3777f46b754b522285a02dcc611b8f7dcfdc2eb2898ee337711fc52 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml f5290b23f731f00af22181993f80dd5696631a155ff20bca39914207fbe19392 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml 0485f0d99116209f4196ab03da77ebfb61efe4b2b09d6ddb77cb9b51f1348116 0
@@ -199 +199 @@
-/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml d4805c10425749103f2aa423ecbe8828b4bde73f4d6129dd23e1e724bc54348f 0
+/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml 12b3fd759c139cdcb690cbaf5aabd45dad6188fd2e75bdf1f6bba2cb2968a7d4 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 10
                           <small>Group contains 20 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1396,7 +1396,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -1409,10 +1413,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -1427,7 +1427,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -1452,9 +1455,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -1467,7 +1467,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1480,10 +1484,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1498,7 +1498,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1523,9 +1526,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2631,7 +2631,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id112" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2645,10 +2649,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 10
                           <small>Group contains 23 groups and 50 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -354,7 +354,11 @@
 </li></ul></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="guide-tree-leaf-id17" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_audit_installed"><span class="label label-default">Rule</span>  
                                 Ensure the audit Subsystem is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_audit_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The audit package should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -375,10 +379,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -401,7 +401,10 @@
 Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,9 +470,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1623,7 +1623,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -1636,10 +1640,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -1654,7 +1654,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -1679,9 +1682,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -1694,7 +1694,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1707,10 +1711,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1725,7 +1725,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1750,9 +1753,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2642,7 +2642,11 @@
 configured defensively.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed" id="guide-tree-leaf-id101" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_cron_installed"><span class="label label-default">Rule</span>  
                                 Install the cron service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Cron service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_cron_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2655,10 +2659,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2892,7 +2892,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id125" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2906,10 +2910,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -2931,7 +2931,10 @@
 <br><br>
 The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 10
                           <small>Group contains 11 groups and 24 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -237,7 +237,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -250,10 +254,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -268,7 +268,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -293,9 +296,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -308,7 +308,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -321,10 +325,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -339,7 +339,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -364,9 +367,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 10
                           <small>Group contains 22 groups and 49 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -354,7 +354,11 @@
 </li></ul></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="guide-tree-leaf-id17" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_audit_installed"><span class="label label-default">Rule</span>  
                                 Ensure the audit Subsystem is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_audit_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The audit package should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -375,10 +379,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -401,7 +401,10 @@
 Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,9 +470,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1602,7 +1602,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -1615,10 +1619,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -1633,7 +1633,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -1658,9 +1661,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -1673,7 +1673,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1686,10 +1690,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1704,7 +1704,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1729,9 +1732,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2621,7 +2621,11 @@
 configured defensively.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed" id="guide-tree-leaf-id100" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_cron_installed"><span class="label label-default">Rule</span>  
                                 Install the cron service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Cron service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_cron_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2634,10 +2638,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2871,7 +2871,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id124" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2885,10 +2889,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -2910,7 +2910,10 @@
 <br><br>
 The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
/usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian10-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Debian 10</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:10 is applicable to this Benchmark">cpe:/o:debian:debian_linux:10</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 10
                           <small>Group contains 19 groups and 44 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-10"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -230,7 +230,11 @@
 </li></ul></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="guide-tree-leaf-id11" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_audit_installed"><span class="label label-default">Rule</span>  
                                 Ensure the audit Subsystem is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_audit_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The audit package should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -251,10 +255,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -277,7 +277,10 @@
 Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -343,9 +346,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1466,7 +1466,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1479,10 +1483,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1497,7 +1497,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1522,9 +1525,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2400,7 +2400,11 @@
 configured defensively.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed" id="guide-tree-leaf-id84" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_cron_installed"><span class="label label-default">Rule</span>  
                                 Install the cron service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Cron service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_cron_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2413,10 +2417,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id87" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id87"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2433,7 +2433,10 @@
 The <code>cron</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable cron.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Due to its usage for maintenance and security-supporting tasks,
 enabling the cron daemon is essential.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_cron_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">2.2.6</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">2.2.6</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -2458,9 +2461,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -2695,7 +2695,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id112" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2709,10 +2713,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -2734,7 +2734,10 @@
 <br><br>
 The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
 deprecated.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_ntp_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.6.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.6.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2778,9 +2781,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 11
                           <small>Group contains 20 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1396,7 +1396,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -1409,10 +1413,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -1427,7 +1427,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -1452,9 +1455,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -1467,7 +1467,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1480,10 +1484,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1498,7 +1498,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1523,9 +1526,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2631,7 +2631,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id112" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2645,10 +2649,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 11
                           <small>Group contains 23 groups and 50 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -354,7 +354,11 @@
 </li></ul></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="guide-tree-leaf-id17" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_audit_installed"><span class="label label-default">Rule</span>  
                                 Ensure the audit Subsystem is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_audit_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The audit package should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -375,10 +379,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -401,7 +401,10 @@
 Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,9 +470,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1623,7 +1623,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -1636,10 +1640,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -1654,7 +1654,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -1679,9 +1682,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -1694,7 +1694,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1707,10 +1711,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1725,7 +1725,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1750,9 +1753,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2642,7 +2642,11 @@
 configured defensively.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed" id="guide-tree-leaf-id101" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_cron_installed"><span class="label label-default">Rule</span>  
                                 Install the cron service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Cron service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_cron_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2655,10 +2659,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2892,7 +2892,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id125" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2906,10 +2910,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -2931,7 +2931,10 @@
 <br><br>
 The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 11
                           <small>Group contains 11 groups and 24 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -237,7 +237,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -250,10 +254,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -268,7 +268,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -293,9 +296,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -308,7 +308,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -321,10 +325,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -339,7 +339,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -364,9 +367,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 11
                           <small>Group contains 22 groups and 49 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -354,7 +354,11 @@
 </li></ul></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="guide-tree-leaf-id17" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_audit_installed"><span class="label label-default">Rule</span>  
                                 Ensure the audit Subsystem is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_audit_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The audit package should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -375,10 +379,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -401,7 +401,10 @@
 Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -467,9 +470,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1602,7 +1602,11 @@
 <pre>
 $ apt-get install syslog-ng-core</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The syslog-ng-core package provides the syslog-ng daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_syslogng_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>
+[[packages]]
+name = "syslog-ng"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure syslog-ng is installed
   package:
     name: syslog-ng
     state: present
@@ -1615,10 +1619,6 @@
   - medium_severity
   - no_reboot_needed
   - package_syslogng_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
-[[packages]]
-name = "syslog-ng"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_syslog-ng
 
 class install_syslog-ng {
@@ -1633,7 +1633,10 @@
 The <code>syslog-ng</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable syslog-ng.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>syslog-ng</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_syslogng_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</a>, <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><pre><code>
+[customizations.services]
+enabled = ["syslog-ng"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service syslog-ng
   block:
 
   - name: Gather the package facts
@@ -1658,9 +1661,6 @@
   - medium_severity
   - no_reboot_needed
   - service_syslogng_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
-[customizations.services]
-enabled = ["syslog-ng"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_syslog-ng
 
 class enable_syslog-ng {
@@ -1673,7 +1673,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1686,10 +1690,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1704,7 +1704,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1729,9 +1732,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2621,7 +2621,11 @@
 configured defensively.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed" id="guide-tree-leaf-id100" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_cron_installed"><span class="label label-default">Rule</span>  
                                 Install the cron service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Cron service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_cron_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2634,10 +2638,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2871,7 +2871,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id124" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2885,10 +2889,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -2910,7 +2910,10 @@
 <br><br>
 The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
/usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-debian11-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Debian 11</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:debian:debian_linux:11 is applicable to this Benchmark">cpe:/o:debian:debian_linux:11</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Debian 11
                           <small>Group contains 19 groups and 44 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_DEBIAN-11"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -230,7 +230,11 @@
 </li></ul></div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_audit_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_audit_installed" id="guide-tree-leaf-id11" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditing"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_audit_installed"><span class="label label-default">Rule</span>  
                                 Ensure the audit Subsystem is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_audit_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The audit package should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_audit_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -251,10 +255,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -277,7 +277,10 @@
 Additionally, a properly configured audit subsystem ensures that actions of
 individual system users can be uniquely traced to those users so they
 can be held accountable for their actions.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_auditd_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">19</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">4</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO12.06</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI08.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS02.07</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.01</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000126</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000130</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000131</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000132</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000133</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000134</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000135</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000154</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000158</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000172</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001464</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001487</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001814</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001875</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001876</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001877</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-002884</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001878</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001879</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001880</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001881</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001882</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001889</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001914</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000169</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.11.2.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.1.1</a>, <a href="https://www.iso.org/standard/54534.html">A.13.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.4</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.5</a>, <a href="https://www.iso.org/standard/54534.html">A.16.1.7</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.6.2.2</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</a>, <a href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.2.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -343,9 +346,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1466,7 +1466,11 @@
                                 Ensure rsyslog is Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsyslog_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Rsyslog is installed by default. The <code>rsyslog</code> package can be installed with the following command: <pre> $ apt-get install rsyslog</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The rsyslog package provides the rsyslog daemon, which provides
 system logging services.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_rsyslog_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1479,10 +1483,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1497,7 +1497,10 @@
 The <code>rsyslog</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable rsyslog.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The <code>rsyslog</code> service must be running in order to provide
 logging services, which are essential to system administration.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_rsyslog_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+            <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">12</a>, <a href="https://www.cisecurity.org/controls/">13</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">2</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.cisecurity.org/controls/">7</a>, <a href="https://www.cisecurity.org/controls/">8</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">APO10.01</a>, <a href="https://www.isaca.org/resources/cobit">APO10.03</a>, <a href="https://www.isaca.org/resources/cobit">APO10.04</a>, <a href="https://www.isaca.org/resources/cobit">APO10.05</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">APO13.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">BAI04.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS01.03</a>, <a href="https://www.isaca.org/resources/cobit">DSS03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.01</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.02</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.03</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.04</a>, <a href="https://www.isaca.org/resources/cobit">MEA01.05</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001311</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001312</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001557</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-001851</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000366</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.7</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.1</a>, <a href="https://www.iso.org/standard/54534.html">A.15.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.17.2.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1522,9 +1525,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2400,7 +2400,11 @@
 configured defensively.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_cron_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_cron_installed" id="guide-tree-leaf-id84" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_cron_and_at"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_cron_installed"><span class="label label-default">Rule</span>  
                                 Install the cron service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_cron_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Cron service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_cron_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</a>, <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2413,10 +2417,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id87" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id87"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2433,7 +2433,10 @@
 The <code>cron</code> service can be enabled with the following command:
 <pre>$ sudo systemctl enable cron.service</pre></div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Due to its usage for maintenance and security-supporting tasks,
 enabling the cron daemon is essential.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_cron_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">2.2.6</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+            <a href="https://www.cisecurity.org/controls/">11</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">9</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.01</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.02</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.03</a>, <a href="https://www.isaca.org/resources/cobit">BAI10.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.02</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS06.06</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</a>, <a href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</a>, <a href="https://www.iso.org/standard/54534.html">A.12.1.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.5.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.6.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.2</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.3</a>, <a href="https://www.iso.org/standard/54534.html">A.14.2.4</a>, <a href="https://www.iso.org/standard/54534.html">A.9.1.2</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">2.2.6</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -2458,9 +2461,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -2695,7 +2695,11 @@
 information on the capabilities and configuration of each of the NTP daemons.</div></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ntp_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ntp_installed" id="guide-tree-leaf-id112" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_ntp"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ntp_installed"><span class="label label-default">Rule</span>  
                                 Install the ntp service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ntp_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The ntpd service should be installed.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_ntp_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2709,10 +2713,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -2734,7 +2734,10 @@
 <br><br>
 The NTP daemon offers all of the functionality of <code>ntpdate</code>, which is now
 deprecated.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">high</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_service_ntp_enabled</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
-            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.6.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+            <a href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</a>, <a href="https://www.cisecurity.org/controls/">1</a>, <a href="https://www.cisecurity.org/controls/">14</a>, <a href="https://www.cisecurity.org/controls/">15</a>, <a href="https://www.cisecurity.org/controls/">16</a>, <a href="https://www.cisecurity.org/controls/">3</a>, <a href="https://www.cisecurity.org/controls/">5</a>, <a href="https://www.cisecurity.org/controls/">6</a>, <a href="https://www.isaca.org/resources/cobit">APO11.04</a>, <a href="https://www.isaca.org/resources/cobit">BAI03.05</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.04</a>, <a href="https://www.isaca.org/resources/cobit">DSS05.07</a>, <a href="https://www.isaca.org/resources/cobit">MEA02.01</a>, <a href="https://public.cyber.mil/stigs/cci/">CCI-000160</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</a>, <a href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</a>, <a href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.1</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.2</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.3</a>, <a href="https://www.iso.org/standard/54534.html">A.12.4.4</a>, <a href="https://www.iso.org/standard/54534.html">A.12.7.1</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</a>, <a href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">10.6.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2778,9 +2781,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
/usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-debian10-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Debian 10</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Debian 10. It is a rendering of
@@ -76,15 +76,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -95,44 +94,46 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -140,19 +141,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -160,24 +156,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -185,15 +186,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -2029,6 +2029,11 @@
                   <xccdf-1.2:reference href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">11.5.2</xccdf-1.2:reference>
                   <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
                   <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
+                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
+[[packages]]
+name = "aide"
+version = "*"
+</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure aide is installed
   package:
     name: aide
@@ -2046,11 +2051,6 @@
   - no_reboot_needed
   - package_aide_installed
 </xccdf-1.2:fix>
-                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
-[[packages]]
-name = "aide"
-version = "*"
-</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_aide
/usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-debian10-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Debian 10</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Debian 10. It is a rendering of
@@ -76,15 +76,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -95,44 +94,46 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -140,19 +141,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -160,24 +156,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -185,15 +186,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -2029,6 +2029,11 @@
                   <xccdf-1.2:reference href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">11.5.2</xccdf-1.2:reference>
                   <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
                   <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
+                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
+[[packages]]
+name = "aide"
+version = "*"
+</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure aide is installed
   package:
     name: aide
@@ -2046,11 +2051,6 @@
   - no_reboot_needed
   - package_aide_installed
 </xccdf-1.2:fix>
-                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
-[[packages]]
-name = "aide"
-version = "*"
-</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_aide
/usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,754 +7,760 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog is Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1">
-      <ocil:title>Enable Public Key Authentication</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1">
-      <ocil:title>Configure ARP filtering for All IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+      <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
-      <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1">
+      <ocil:title>Configure Backups of User Data</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_user_data_backups_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify ufw Enabled</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_ufw_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1">
-      <ocil:title>Enable use of Berkeley Packet Filter with seccomp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
+      <ocil:title>Disable Kerberos Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1">
-      <ocil:title>Configure auditd admin_space_left Action on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+      <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1">
-      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - unlinkat</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
+      <ocil:title>Set SSH Client Alive Interval</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1">
+      <ocil:title>Direct root Logins Not Allowed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_direct_root_logins_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1">
-      <ocil:title>Randomize the kernel memory sections</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1">
+      <ocil:title>Configure Polyinstantiation of /tmp Directories</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_memory_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable IPv6 Networking Support Automatic Loading</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian10-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-10" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Debian 10</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Debian 10. It is a rendering of
@@ -43,15 +43,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -62,44 +61,46 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="machine_and_package_ufw">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_net-snmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -107,19 +108,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -127,24 +123,29 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="aarch64_arch">
+    <cpe-lang:platform id="machine">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="s390x_arch">
+    <cpe-lang:platform id="uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_audit">
@@ -152,15 +153,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="uefi">
+    <cpe-lang:platform id="package_shadow-utils">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_package_ufw">
+    <cpe-lang:platform id="s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian10-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
   </cpe-lang:platform-specification>
@@ -1996,6 +1996,11 @@
               <xccdf-1.2:reference href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">11.5.2</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
               <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
+              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
+[[packages]]
+name = "aide"
+version = "*"
+</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure aide is installed
   package:
     name: aide
@@ -2013,11 +2018,6 @@
   - no_reboot_needed
   - package_aide_installed
 </xccdf-1.2:fix>
-              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
-[[packages]]
-name = "aide"
-version = "*"
-</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_aide
 
/usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-debian11-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Debian 11</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Debian 11. It is a rendering of
@@ -76,15 +76,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -95,44 +94,46 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -140,19 +141,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -160,24 +156,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -185,15 +186,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -2029,6 +2029,11 @@
                   <xccdf-1.2:reference href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">11.5.2</xccdf-1.2:reference>
                   <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
                   <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
+                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
+[[packages]]
+name = "aide"
+version = "*"
+</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure aide is installed
   package:
     name: aide
@@ -2046,11 +2051,6 @@
   - no_reboot_needed
   - package_aide_installed
 </xccdf-1.2:fix>
-                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
-[[packages]]
-name = "aide"
-version = "*"
-</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_aide
/usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-debian11-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Debian 11</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Debian 11. It is a rendering of
@@ -76,15 +76,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -95,44 +94,46 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -140,19 +141,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -160,24 +156,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -185,15 +186,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -2029,6 +2029,11 @@
                   <xccdf-1.2:reference href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">11.5.2</xccdf-1.2:reference>
                   <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
                   <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
+                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
+[[packages]]
+name = "aide"
+version = "*"
+</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure aide is installed
   package:
     name: aide
@@ -2046,11 +2051,6 @@
   - no_reboot_needed
   - package_aide_installed
 </xccdf-1.2:fix>
-                  <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
-[[packages]]
-name = "aide"
-version = "*"
-</xccdf-1.2:fix>
                   <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_aide
/usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,754 +7,760 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog is Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1">
-      <ocil:title>Enable Public Key Authentication</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1">
-      <ocil:title>Configure ARP filtering for All IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+      <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-snmpd_not_default_password_ocil:questionnaire:1">
-      <ocil:title>Ensure Default SNMP Password Is Not Used</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1">
+      <ocil:title>Configure Backups of User Data</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-snmpd_not_default_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_user_data_backups_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify ufw Enabled</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_ufw_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1">
-      <ocil:title>Enable use of Berkeley Packet Filter with seccomp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
+      <ocil:title>Disable Kerberos Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1">
-      <ocil:title>Configure auditd admin_space_left Action on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+      <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1">
-      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - unlinkat</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
+      <ocil:title>Set SSH Client Alive Interval</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1">
+      <ocil:title>Direct root Logins Not Allowed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_direct_root_logins_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1">
-      <ocil:title>Randomize the kernel memory sections</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1">
+      <ocil:title>Configure Polyinstantiation of /tmp Directories</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_memory_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable IPv6 Networking Support Automatic Loading</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-debian11-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_DEBIAN-11" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Debian 11</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Debian 11. It is a rendering of
@@ -43,15 +43,14 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -62,44 +61,46 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="machine_and_package_ufw">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_net-snmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -107,19 +108,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -127,24 +123,29 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="aarch64_arch">
+    <cpe-lang:platform id="machine">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="s390x_arch">
+    <cpe-lang:platform id="uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_audit">
@@ -152,15 +153,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="uefi">
+    <cpe-lang:platform id="package_shadow-utils">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_package_ufw">
+    <cpe-lang:platform id="s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-debian11-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
   </cpe-lang:platform-specification>
@@ -1996,6 +1996,11 @@
               <xccdf-1.2:reference href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">11.5.2</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
               <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
+              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
+[[packages]]
+name = "aide"
+version = "*"
+</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:ansible" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">- name: Ensure aide is installed
   package:
     name: aide
@@ -2013,11 +2018,6 @@
   - no_reboot_needed
   - package_aide_installed
 </xccdf-1.2:fix>
-              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_aide_installed">
-[[packages]]
-name = "aide"
-version = "*"
-</xccdf-1.2:fix>
               <xccdf-1.2:fix system="urn:xccdf:fix:script:puppet" id="package_aide_installed" complexity="low" disruption="low" reboot="false" strategy="enable">include install_aide
 
RPMS.2017/scap-security-guide-redhat-0.1.68-0.0.noarch.rpm RPMS/scap-security-guide-redhat-0.1.68-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-redhat-0.1.68-0.0.noarch.rpm to scap-security-guide-redhat-0.1.68-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-redhat
--- old-rpm-tags
+++ new-rpm-tags
@@ -796,13 +796,13 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 611210ea292d2e5ddccf7ddfb52e96f62249a1d12100c771261579701de4e3b9 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html 2a374f88400ba8671809487f8b542fe9bbac2f66c3eb9a1af8d4e643a06f6882 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html e6f0717d9ac54152f9831985915439fafc96419658f638604369548cce7cdb75 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html 2fb10926b4f02807764e06533d1b263e3f31cabb067b2614d1c925b5b9428e26 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html 1ec64beed5d86f9284d68864d835b089619ce1e1d313615e5f5a17e1680b95ef 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html a07a9558b50040ae7cffc01d9bdc094199f0d322bc33752cb99a1fffe6f19c69 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html 26f15455a85e43a34f7a855dd4703e3374a69ea1426f0f73c3e93a417244ab63 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html 889a8382b6efec9bca2fc38950dc3e39dadcbc3e87489426411c516291d44b9a 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html 4d7a752a31138efdbb5803cfab671891349065b1df145ff5a5fc8da9f93c3328 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html b16ca38639bfcb226b366f0fc4efd89855eb43728228c659afbbde3febc6de4e 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html d8019a252788d70c6a4680351557d913079cc458ff00512c45b1b0c98a0ebae3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html e253edd10f99359bca1124081b74aac0df38b9aca07fddcb2d17cd3d98926d29 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html 8c0abc192cda0e5c4b47712d448fb6d98d480d3b98a5f81f9316cfcc751efc25 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html 0fc3970cf4abd80e9ce41e8b36e020684d83f48297984ba3526e49c3a08638bb 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html 942aaca4629f9e63ab40e3095703a6d3eaf9bc21bb1203abb811937028a782ea 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html 7300f7d416614b3d3afcfe254b6caa28fbe3cb20688b82e518f4cc540b661c0b 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html 7877722fe7d1e85787acd218ec328bdfbe573b9ee042e017d39c72be2cf9a9a2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html 98fd910566eff572e29474a020a406d4c5dd16fbb9e19f29ab9a3c8e2394f566 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html 037237b4470209396186a997d7efa7540548451c7d33adda812491ba644f4b46 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html 47102409de01114309b928a3eac06a0dd14354727e782cc29c7681920b506448 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html 8e3c9c6f35bc2f2799c567fc4c6ca249c22e27fc85f1b414a3df442d054148c6 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html b715cb85c30931b8dc57020c7404edbbed1c8dd8be0424d6dce2f110cce7cfda 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html b53b1b48bf6e0589126ded8d1a220a7d2ac1b6ff06178bd83b81db2d23d32c34 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html c74b719bd28a73d7880355012c85ee4c4ac565918196450521e46109e5f2d4d8 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html 84f4f8b333d627a852f47e871279ce08efccbb7c5829b490cfdc8797e248e5f9 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html 414dbba52868ae1ca47dc72c4b835acbcec1893a0bb4171f7041d7f781270d9c 2
@@ -810,21 +810,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html b28df039bb5431b2458400a53c1ca9dfbc4074c3a5ab29079d4346ee6a187ef7 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html 46184a553e912315e53aa543bed2b324cfac03a8c4d1ea914b5f3437031c576b 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html 45243543d04f7b6f85bff46687ab9aa7581637d47bf268dacf621453bb748006 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html 244a54a4e74d7bb1485161b55fde012480db521fee899748387f9d0fb5d1b2d8 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html 7ca184700bfe974d1e409e8da07c62b78a88cb110c019c849b8351a94616fd92 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html 062cb019a7a9a164177a00bfbfe6c855bea2263fc6dba257c64d6892c537c244 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 4b8971b337448dffa0be2438a3068f9efd2e551f926ec662657cc325051be8f9 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html 08d4c7d5d445d90f3a5b5670e0c292daafffc3aa3cb11240cb02b278672e6f26 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html cd036faae74178f3380756beb10c2ece885d23a23c2add026630a367f87cbb81 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html b84dbae726d85661b3997898e1bc8a2173394a4428bc8007b46ad00e27e36897 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html 8bfc76b725d8f4e158b75cfcbf62a81e2f5bf0006e06ba8b106555d1f477bbdd 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html e54b1f0a15dea1567398da951b1a2abfeec281b939fa4c9ce8bf3cde123b8b26 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 8f62074bf7aa9bec2b5d4f8576ad5dce1eea15c5970fadc163e3c996dd82e760 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html 9e97f4ec4fcab15fa9a9102078afa0e71b69d09813365d529b98973ce7811ca4 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html e8983f2e65feb937cedb72ec5aa23c1db30e01d9d9230c85447468f3f0280a94 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 95b021aafca9c1000a56fc6d96e27d4db2de74c14a9da2836ce2a4e18664c752 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 38a751036628923c68e7d914f4ff20c51e27aef96e9c45b9af9772871e7fce91 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html c20aaf435d98dcd1ac2e3ce4cc3c0211f144f4b386fbc8fe381192f32053f4a3 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 6e083eb3757c75ba196eafe5b4d609ca20465f00e99e27fa7f4f054753a4d324 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html a6a14a81839331ea125febf78983ed6ce2f3bbbae5d6ff6bcf54cf6cbb446bdf 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html f8d02da106a3d4775cef4fa508b3f41cff7c45f5b30a308639a93be9145bad9f 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html 8e40fe1771a4c722e010788b183f4b3b0a128ff6aa97f2efd269da78f01b06be 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html 94629954ac58a9c1fd15b6690794403e43acd4c5bcdde8ce26190720830aae27 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html e9e2ddadada1e6737dc25d2be77b1d6cd93e85a2b22c261443ba2b7c5c0994cc 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html 53ee5d61cc7f4189907d2d616a287eccf552463777442ccf181379a324d90bb5 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html f9e20685fa8359dc9340e647be1414855fa9bde9269c3f609fdad84e26844b26 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html 08bb9916cdc936806588e37c8d07c54daa4c9b4b4b8753e63f3314fa2f39249c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html 1ef839d7d648f51f01e2064d9b4074f01f1610ac22b25819caf346209fc33387 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html 3b7e8b8a020d5a9be7e27fc3f9590dd48b77092aa9d319a55674b7f5568e3c16 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html 409936d2fee0cf88c2dc4cc9208088984f2c041e467f0048a8717771a165d3b1 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html 9ae6f9441a42b900376c43efae2fc1ba332893ff0a29e4dfbc0eb537ee2d693d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html a5f32a234cb592205c000af5ec82fb638c7f448cefdc29b882dce7b59d00a76d 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html 9942e2a13ccfe07378a5a2b110fc12212570957ccee4860dd76e005c3aacba99 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html 7f2d3cd2bfeacf26c1a3e42fc584e22ab1c6c24544f884546cd5623dfcfcbbf2 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html f3cb6be4c5378146e486d43eb345889357b386ce1bd5336072f535a8822167ff 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html 7bd9194104c46cce6102f6786261649cd7e3a1c7fc4ab0465512e48ddfa51b08 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html 3bf04e3d70f4d373e5a0421d7d2ba75bbd624495b7ab676fbc40672bd4303111 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html 4a5d9e15fb304f5626f97a5635b19240b731415423b94931ef4910729a639d4c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html 570ac08b90c38f9c3d7023ae634cce9b2fa630a0b5a96e7ff2c719e0dffbcfc1 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html 9ec6f68bcb3710eec7e0a13c83628a45dbb97a55a467dc110ea3aaab0040da80 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html 25f7ec2f6aee3888dc3895e910b47b56ef69be23330b1ba60ae64d4c430e379a 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html 5bd8748694195070e7bb3ad21dc5cc92cf63b97f06d61623e7abda82cdb4ecab 2
@@ -832,18 +832,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html a8f23dedf1dc8718ba24d09de25e7011399adde07ad5b37fb10b46dab300146e 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 25f5bbb835daccb328624776ef1abd471b6d5b1ee9799aa7912efa22a2cd4b42 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 2d2ae076e3ec74355a2ffcd67e5ea9769608993fa80e0320bd7bbaf65cc65682 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html af312a846de45679b4be10f5a9ad95d8f5f85bb1732c67f997abf8c4fa5d84f0 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html ae8f929196573222eb9b3e3439f254ff8a63268c9c6add6f412a30f95a989ebd 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html dcf93c014b9db052863c41240080419fed23ba90f5bc11f1f65f9dc6ca4d418c 2
-/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html eaf094292133ab315992c4cad68d431b714870be0093880b0d793c1cbc63e2cd 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 869592477f1f96ce44df244b82552b8d60eb68954ade1f5a4079beb78b5ef5b4 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html a5cf0e2cbac0870675e036d5dc7373ecb65e41ac8bde436116d2e88c6762a78b 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html c921f27f59de49f0de445bdbb1be722d4881b84e417358f361cd7b51f1c5f1a0 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html ec1720393e428593900f48cc64b2abaec3a062b8e7872e1d69b5596db81b0bcf 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html e5e2537833742ac63053dee1d3e99f27bf3f7942bff8d959575e5e6e48696edb 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 57a938571a3a3ef83bd9556f436650f9de3502f3f3d7efbf47d5caa1b642e742 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 13e2f52785a797494e92e159ca8a6fe2bebb1467d0e09fde3e69058b02d92d01 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html fc5cc8171c61d39c603886ae57e80ec5c238edc1808a2c0d33b02c75ee4e210e 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html f2dc27581a2f37c18d2bc88334aac8aeaab9a48793792205635e213ad76f58b9 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 7f2169fc188b9f7c3d48f5769d92acf7fd02f24a7b905948bd04ae7caaf2d020 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 33cac9e8eee47be82265bf92cb512697d75e823d9664cf95b35c667a0937fd1c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html acb7871a9cf823bbd4ea975ee0b3805734e7015fbd529684ab63364747e7d798 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html 1a6a4b5eeb55fec1d21210b232012cac71b8131ed125812fc8fc87cc541829de 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html 3cb8bdae5607aee828dd04bd3a80c2efcc21adc0b6e096532d1216e8458321a4 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html d1310b9a0268366a3b696200f1b447301420d9a64595ea064c64fcc9466c0a51 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html 7c8e28ba777585d997fd98e4fc504193f1e89f0ac0f8ec4d8cbc15a7c1e8114e 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html 64179f52d14c44986b6e94986363fdf059d2737f7298a8c65485fc747ce3116c 2
+/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html 756a68c6782cdf840e1871981b8a8e4ebab6d808d192860dc77456d2040767f3 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html 62f0fe022280fbcaa4fdb0a7c562715d9bf85a57be83af348d2d683e7e05392e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html 51497368fcc6bcd2d470f3023817193762f99a4bce41a8b4e319558cc67bb52c 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html d8ab9cd4401597a090ed0f47cee230dc5852e5cc822452f381ce09406bcf480b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html 094f59ed96ba68edd2d9c6de6438e0cb0af04e050283c8220521f0a4dba33446 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html ba8f6e65646e07de490aee1ed15e7c5e66d8197a7d6e95c8e4f0d9925db104c4 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html 4fdb7133aee1dda04abf55db094590aec8539232d399c96e99fb0893bcf73e84 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html 3272a2584144ad5249bad34cc87ac5ab9f5fb8a5fb1c40d1a6dafed1feec8e2e 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html 90839d675beba1612e6ed0e089c13086ed59b26be76aa8691f0411ee061834e7 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html f00162de3cd4ec3c99224177f753d7429e3b5cc05ca323356478da9e835085bb 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html 278bc8b926f360063f1e963ccd2f9378a59ebc7868a723da8090684ecc645b1b 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html 4b5cfcbfa40207c2feab939002f08bd8282859be71ab25f07af3fe1952955113 2
@@ -851,6 +851,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 7d757e7d0e8e0ba2334083a9804ec9971b6caa43398e257bae77f8f619895a77 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 32783126e9c5db14c5082b6061c6f425cbc9b187700a1b66e4c2d62acb841147 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html d86b7e96371a00d85d50f102569589c13efd76b4d8894ed6263243aca01742f9 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html d8e5321060159d24abe228c86b5f233f6833811dcc6df80a0ab6ad59a88664fc 2
-/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 859874b94be5a19245b624fa5e2ad3b9f531e2fb408dd00e238447e97ee2ff7f 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html b50f1556dffc9d1b175703b1c77bd4d9f38724fbdc0af426ac9620bc0f75b427 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html 646d4df7c4a163df2639f0073260d06a4d8ffbf9b9b0fa4ea64652fc3baddff9 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html 08f06b3ddce4e77dccdffe465eabf9b0d2bb3b1d57fb95f6770b9c89d05c5ed7 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html 676f55f1181c313da2ff7cfacd9f5ff17c4e18dfd2795a36e357d82e4fcc91af 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html d2653da468e0d0311f51ac5a403ae84979c3df211f552ca5b91f07b09a1f8c83 2
+/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html 9c8eae6eb5d9526475abcc282328eb8a6b1098199ff51bc1ebcb42b9d1d10dca 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html efa011fa8754f5b03462909ecd1a0aa697107e41199a4cb39c091212e1dcd10d 2
@@ -858,11 +858,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 3a85a1f68d995dbcc0b7c9256e600e85b88309af39b5ea5132814aae7911615b 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 35325d23191c8c1ccbcdbcba60cdb8f7e7c208498a94efb780e3858b10f7fe82 2
-/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html f24aae3d9697227e077081119b22a9f06d5eaa8d145612bcec7851800b0e497c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 9cfb5bfccdf4f3a5b8cc9820f452edf1f48a68155c6c461a78531cad8ad3ae52 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html f401c6bec676421a24d50e40bcd95bbc57e7029d4befed10ab2899b216660e95 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html e64673da2249614300104f935045d3749a9dbf3ee92716c9ddf097da73a8b8f0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 38a6c4678cca5e1272ab6dde9bcab7e84a6e171fb363373190d5fd20d4a59327 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html 59d94921788faea357372abe2eff742b7a41e095c628de5b4b98cc87a1d515e1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html a0ff8b4709f7fda16c5115b5ccdd4e18d58226fba856c88ccbb5ecd0fedcf2eb 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 660a5c8fb7a5fc8140bda09badb81ba7ef45bdf87557e3b63fd5a0163839cdec 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 3edea86d83a70e0e7e590da9f9a888a0587e714ae7c6d0a203c44aa5c0613894 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html 0f900a316ffa9816fd678af55279ea327e9aff1df4a35e250d617626f492016d 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html 056c7a7d2e8064d688da1388fbcf66d3d0f6f2fd4aab3a015236b2ed92a8cd92 2
+/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html 2e5ff8577a532a43b75b4cfb7e20dfbe50ec5eedaaebcaee21477f83b0619efc 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html 3c056d9bd5bf8be3016672bcec49f6bf5546d6ec2163c9782cc99f53bba641f4 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html 20679dd85fb810a52c204c57d8c0e52047def17dd2630896e8afba93f6bedf88 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html 52a750e93265aeff5027fc158766a36068ec4df6567779e8675b9fae04888755 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html 18737b448f7d46824b13da6e8970fd0af073b808756852c9153b2375da1f1135 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html f2199e1747909a4e550f58a8602e195d48008584db8c159182fe762656d83fe5 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html 13da58b2af84d261622da17b6e301b2f31ed7b7388d9f44260b827aa8be3f898 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html 617ed586a0ba7f020d248261ca943d4e9353a4f0993a0a53443367f83bfab044 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html 4062fe89fdb7eafe68e9f67f1665e829dbeac4a9542c6366b42b7b86e1242df5 2
@@ -870,15 +870,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 0b500d4457210780e3eb2d2fda88b3d009cb3a7f432c34d144b3b2792d904390 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html a147281fb98ac2f385c2c41c88fd7cd066110ecce954f4841259206362047a4a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 31938514d0d91dc19fd5e2d8dfc1a95df29d869907732602920d732a3357270a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 0befe0a7fefefda76aef41a609b1bb2f77f953b0b689564c39607d08a0431b3c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 84e64f5aee037c60be8252c42428d351f2130857cf12c7bcadd94a4ccc4cd991 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 9a68b34cd83e4eefd4e0fff263b5add2cc6cc6c21b7a063ea77c081ea3781cd3 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html 6858f5d6abf0aab3211d570a7f31f753dff9a7585db371ecf03f6239812078d0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html de2d693064b57be4f670f525996833ebc618bbb5b2e5a30bc35b1ff2eed8fdbc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 9738f6556b5c54eda4046cf72e1a8214da364094d05b2f3c6bd20b3adc5c08df 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html 6f1d70af51fcb96656efa6a1f9e977e3be07ffa467aedce0666d4a4835ce40f9 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 6e4c985592c24d9c22f577cc8f274f29e22c8880ced506e89ad78f8ee2d675e1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 3f95877a91cc48cb513be204f80dbd171e9748e81232061f112a2ac89632add8 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html bb4f2224c7490fa52939011799582ea5924a5c3b0142926854ea511de9def0bf 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 60430e5ff7123f5365db054be41b92a87ced6fc439063ada38d9e9efebf3bd5f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html 41995c896843bc4494f8d512a5a6aeb3452e34a11991568ed11b55351421fa8b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html 35c8b049aa2bb6de52d11ea15fdaecef8832273ef489999a48f38d8b372a0389 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html 6e3ddbba4d699af23c11164c4033507107828b68fe7abdd626708cec97dc652c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html 3cb35cbd63006a21e86859a953543d5df50fa18f2aa4159390bc4d55f1448914 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html 2b689005fe966969474a34ee178b874737cbfc3828c3d323e5ff9bbdd4d73a38 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html 0fba900e660e6d9f3bbae7bc92addda92ea8b4d1ebbc84b94ae1b8d5496d3086 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html 5aa7cf0f6c0c175f4deb0c7245c50023e16b0b46341d829322ce0beba8202e86 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html d9a4a019065a77ef09bb6cfb7d747bad3d994df8128013acb6236b2084d8f899 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html 6eb820f656d7118522a10e2c828662ad8bd7c7c4fdb479dd8ef32f6b8d506471 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html 940adb911d11604d3cbb8ce1a887eead0ce6b3945257c856b3330d9309ef958c 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html d4cfa454e9bb30722495e558273c7e3f1f1584dab88dda0fbce3466c09ec1b86 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html 24ddfb55598aee5a8b709682bcf69e96b370c5258f61511f50936fa148625617 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html 6c6833f3137347ebac2468372ab9955332f4151a583ce0d27bc03d4e80efba96 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html 3ed0f60d82479ea364156b493a9bdb928045539eb8d8dc4be00a17f7a5a968fa 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html 543d2cbba291ed9209c5082c4434267d88a461eff6a091438e3660ca598bf8e7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html c86a0c62408f38701376beb132f7900693713502c242380e02f484772cffde9e 2
@@ -886,12 +886,12 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html 35ef06d1f6e920ca1c14e501b6d19102a6e0a0a3ba5712eeda12baefee2402bc 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html 00777593fbcb89851b8f0c72f74563fb66d253930453e240dedac395250d11b1 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 2371d7efb9850788b4541c4ecaa2ffa513648ce70064ca98b029006b0b34230f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 6e486ef2ec4e1baf77c75c8fdb0598013e535d26b1903904538873f9a28ec775 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html 17047c88be26d8713ce8325b5a7284fc0f61f3fab54a7956fccec98031ce3390 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html e753b8805a5b19ebdbf403b583d4c5a46748ba5c060beaab4a11b57e04da980b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html baea87ce62f72a9299f4d6093e29a4e49402a56cf5b5cbda498dc2a82e04ca47 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html 2e593326c389b6c105ccb345ca2f9bdd85b70aea44a5b74f1188122769587f0a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html f56cceb8bf970f27abea66cc1259319a1529f9e13264e376920d04a68295665d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html b2cff397a71fa5dc97b92259f5013f9a770a93fa15088612d3bd9e6ce8dc5ad0 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 7f484b0c834d4734ba2ed12a0b65e8fc8d42a4e49da62e61b1eb87bfca33c228 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html d145b69f948d823505f00d1cf21dee2e3526e07430e674822c1135467dd2df74 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html c159695de894e6546ccf29ab16c2b1ae5104712aaa2d2d44418343dfd88b27a8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html f642dca2b3f6d7191d0df5be8b994a1179ba284df974d41a75f54a3961c83149 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html 16ead7acf15613b51dba1ef22207b6694132bf911b64de43f2c80a98aeb110d3 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html 0f95f71845c60af1ae7d994cf676a075485bfb54a3eea3ff2cd78caa11eb0ce1 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html c3f7b3f94415c38996572c751f01a97db46b003be2f2fa28aaaa6ad9a658cf10 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html 642b9a756fd99b0670a0535052a19c6ca78de591ed62bab7ce048a0b765def46 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html afc702f9f32d9c7f3e692ee152c6e87c7cf66ea5d4ced60b58f1cea3fc9f0c23 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html b072618e6eda3f3f63f6a0467ad0e5ba44771092c9f40de7ae1d7bc8068ce321 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html 7f97408b8427052c2d4bd54bf761e1147318315295a12159b93ee0ca8ae65e5b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html 2852105ad3b9ca6a03804805fd78ffcaf0dc6649233645e3545417b868c21fcf 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html 3e5e45e3850ea98fea4abdd3bb6c4c87a3b3b6a8fd98a69a1efeab6dd0e10bf9 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html c65578c19750baa96343932909fe1fd90bafcf42234a7d10f83764095b6f65ba 2
@@ -899,11 +899,11 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html c28f8740724b588f248aea13adae4cf4b8e2192bcf4c7530632496e5e6146267 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html 57a716da644911db03f0aaa0981059d20ac925edbe5a3330a60562a562251a08 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html dee2fcdcae3383ee38cb1191a7e6909566369b3b1feb413929ebc2f7343a9e77 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html 39194640d83d9375a6dda190cafc469b21971ee98fddcacdbbd6118319aaed8b 2
-/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 867fd39a9aa81c12253b9a0a95c80b7aface06c021c4fc1f796288105562e3e6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html b63c19a2be52b52183adc307ce2c6a3eb39471a813011b036b718834870cfe29 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html 5e6da8477bc35fad3c426bcb8b995d430efba9561e0eff1a16d8b1de9920a8a6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 3fa77591e272b779d7202c3b9aed465bb53cd1279da8baa5bee652b5c17f4bbc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 5878528886cc7d7bde2d58f813d9ea65533ae7eb8bd8d282b52f753727a951b6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 0fbaef7cce71cc6cb6354553019c54e0dcf4546f8b94f8f9e7c1ac62e8ea7577 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 6874d09eb7eb71a594d189214375105f0cae71929bbd056d61c8b8ace712e28a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html b0c07e1c4d29e1159fce2e55accb847df61e23c4f8d852f14e7090f83099b277 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html aa7c2622b635603a4cdf138a243da34ee38de1365a2faf34130ae4853c967909 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html 475183dfaa92b980a2d80635147b4d031d56e7e57dea673c21b482d30c40adce 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html d18318e87d63b1e02bab60d5c5fa56c34d1dad350103d422d2bf84f3d7966ec7 2
+/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html 1cd6fac1ad8eedbff3d09f6f157569d16bcb9676d034f18fc7b039ccdc39edb1 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html 1469700bc991fc0d20d8eb4c70829e0961f7b6044f8789fdbb96f849656dccce 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html b51c454238e0c076ab7b6d5c0414c51c10a68fde05079960d0e0f79b8d6379f6 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html 850f3b6ecdb247034469d6d5bca3b17997ecb542efd454d8c80687acba31e995 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html 57666e91ea39ae4e23234492ab86bb4dcfd9cdd7aaa2a13c2206552efd5bb20d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html 1bff218238f675449ac0d0812d6786dec8db076db264c7819e99cfb0275ced39 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html 316884fa41f9d29b3f1a113b0aef938ea7c9db9f02c313e6822fb0d330a976ce 2
@@ -911,15 +911,15 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 7da271653caa4193a71e19e4fbd833c85835690ab31fe84a71805d800d53cc64 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 465d6d7a9820da3ed1514b879f5bdc14b64d838aa60633e37632709e13cb0a2e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html e344169ec02cda1a2f92d1707968a959fade395a20219bd44141059a37464e52 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 0ae460156b8f341bc7f9fe96efcb8dc9258f611aeb47b122d9a160cd08ba9308 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html a560872f0e5698f6814dae92a37ecf202ac531976120c3d5692b31994bf5da5e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html f6f6eb1a17e2d7456909d0174521f183e7da6ed0179145453e9587f09911644e 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html b57bd8dfd107f2c833e141c2a938b31cf64cb25c97b6d35f0cafb52de78e39c5 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 0778e025af39fed6130ab1360da917eac200a1a2df270d21e18be679bc2a48de 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 9cff0eb130c1174586d6c1f0346d6837cfdc34fcf146b4a779b17d85f51fbce6 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 208d6311195eebee1d8f58d4d850d489ed6333de76504f3d2c61bc5b5a359d92 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 03dcf55550508782ccb2f5b944ed45d4bf747834eba3d5de4d0e216361efb8cc 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html baf79bfb097120c9efdf6f186b3e158216c7a710c0ef01c52b2b869e04f843a7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 386a1ce8cd7d6a95de6ac57b248482a22886e307f7b4342c2a5709ee2aad2334 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 3a7bd79278f14972a0d03590b3c15459400253eedeebdc053112cba54c4ad56d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html d3f4bdb634010bb19efa45975f0e560b5be016d908a4efa653eab7f1a288fd65 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html 7fc297122d8a0c3ebc6173cffc2b0c6e4f3a0cfcf6880e7f8fc54d8e84ad41f0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html 6aa4a9c9179a973347bb4c94cf6f90e0ca4095899ee5a10d250b4b70f60b340a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html 477e69445e6794ca534689721ed3ec33e735d70a6bff3cebfd4aa1a872271e6b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html 362a21f1cc2e3fd4630602111ac842d48286f6681cb857162a5f580177393cec 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html 350c5bc7d72058a64efd690a06c2cd08745395587cc7a10884b69e00547e8e01 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html 9c90562630d069e951f3500de11d7d6f45cf4b30073d904c571c53ac7e522a2a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html 90b5d8a5a7aa0133ac7b04cc5cee8b59747161b2d3bd4511d98e3e3f4491fa2b 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html 3cc5301c8722848185f90b9ad5a90c54ee8a851b6be6e84f939e33a3fba62f43 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html 4cc2e98d3359def1d469b4f6f79b65e18d92d07db0545716910380a073b5ada8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html 1be6e37cc6ac86b62e8bab228de37e7100312389f29849fb061d6d5eb7ae4732 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html 8397b314fe988ff83d373ea6124685be78ed61c182acdcceecc7829c3c00545a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html 00613653400cc64de188be054908d384cf875bbdf85a16de1bdf764783fecaad 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html 16e129ffffade23253b00b21723e333eae7c7a266bbdf26a688100890495aa65 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html 5053ac51ba350f05e04533717926a31ed108267dd70f4a966790eab13a9d8b07 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html 2fd3e714aa41e8f14e7c25bc5636e91f39872d31e193906d4e72a9d7b1c7f42a 2
@@ -927,21 +927,21 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html 806362034c10cc09c042e35f9594f486ce6f34e7fd6d30d7809f20122e9032d3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html 4f52ed72948b5a7def1b53138ab8bd19ff336eddb1d412becdc6b459e4b1f82a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 8ae10df24ac618610837fe3ae4698c63a1fbdb9c069b6d4f180a1a14a2d4ffb7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 107275d363544b7f9015c9069d8f2f9b81cde027c4b81d236f28b6419bac4ab0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html 87007dfbff37d368ee1f7e46e776e70daa715a99797a1de6c9a1af9d0802942c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html b23e43f4262f8e36ebd4cb7f57725b79151bcd3c4e79669c0f581be80d7ac128 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html 44d161c8bcd8f6c1ff3df7c886c7926291c7927f37cf194a310fa72e594f5b49 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 547af0c99a5ebc84284dba26814fc4d2007d0a5672cd42bac2da1c769ec24470 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html e89dcb536ade26e30a15a06e7b1c762fde84c7b7722aa48fff5c3918171e0658 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html 4e450bb92bc42bd993702aff5988bffd0a1bbd249e5f4df4d0ea7eddd633d713 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html f2c55993db178327763c16c04e5f54e3bbcb1b06a357e4b4fc682b3b2cb2fc02 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html 4b1476e99c8c33a9a8f4fd4bcad43c36bdd5e8c870b61a4a5e43e2c9b62e17f4 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html 3d069d87eed739e179ff1476e686cd2929c3f728b3039562d757493a751d6e42 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 5ffe9abca74ebcbf7b5f75d1d432790ca17ef1dcef9002b3fa562c1e9bdbc83f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html 0f35ac56d259a446ed86887660dbbe43621e39e6f242232e72fffb87cbe23994 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 4d65b1ba02c460d0d876d41437c21843b780aec7a71d017f12e92142673fba2d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html 6fb4a2c7c72a246d0ee92e5e848f460cfee11b49c150f41b37b6c0b46ae01397 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html 191e5fd7490945a4b5f5e0fc1715884f3e312769606bd6c914bcf21899e285fa 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 28708606b04ee42639899b7035318dd6251a427155a310e3a6ef26ed35e220ae 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 7601045b75d437176fd39dd4984144a7f106131c81768abe008592a8bac352d0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html 80717311bc1dfe90e0644f3fa34acc7975aa7f5caeb94cfb6be5087a53d1d1e8 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html efb6058a1f32f3c84292f639ee19a9458f0e071f1f2b42290580553cddfa8ad7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html ecc81ede4fce6b2293d4a9407e6f014def090710645fd691ee4d6efaf816475d 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html 22757b1c58be400d901f11b33bf4c6a5f8ff6cac7b4e08be23cd29e0aa867a42 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html 62dff862df9c3649ae6401cfba4f8f69d70453412ceb24f287d1dc15672e5a6c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html fe85b4a2e307196e63404aa141f36f66e4cc0f50655d2452c59989990e369769 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html 4483f4433cb445ef3638abd51562baa6a7c8693ee1f1c1ac3f4d42fba25fbc31 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html b2648fbfcd6b53201a5e29f0c9498b1618cab86aecd28ac385386dfd86a57e49 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html 19e45c80244404d101b7a4ec3ec42093d1ea6773adb50c740b465ab76b1650f7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html bd11d81278f0dcabbc71394e3c8600ac52a852a8f4cc51fba0834067ac4d0cbb 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html c57a1ba21652205de44d05311d897b7b91b33311ca3be89f11b002681ed03f60 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html 283797bca36a56b0cbf0d90df0d6f1148c32bcc6a3dd9fc4506e5859f46e4b2e 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html fa8fc920554a96b66e659b5a206f93b46eb8cbd6b30f77a27e18c2662f94a3b4 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html dbcd2c6d81c9257f3231cfbe0635971a7a90f315511f3e312b89269949449a66 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html 954fb0c6fd6e1e2a51c2c642de94d10ca9fc3dae2d7e212384199a385ba04d07 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html d1d19fdea7672e3fc95c06bc5a9137bbf61b4ce153c42325edfd0f915237fa8f 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html 639eac28d9fbbe166f05625c9dac93e3bc491904d6dbc0a7fa1b0a32bb6f8233 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html b8554fc50bef2c86a1921857dcc390de411d73ca1fe21b9384722919b3a9d586 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html ef0f356f8f186fc10d8aa20e98952162ed1dc4752a1e117a646b9886bf7cfcb0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html 0d96f729a8d6c324b521797e31797aa0a9370494e3df394b09940553251e8071 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html 79b15e74114affef2000bfcf1915f749368d6d7150ad40e2262b4a180c76faf3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html a7a521d9179c5d300fa01105acef3d921c2f9741f483d1a01458d4bee5c59955 2
@@ -949,18 +949,18 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html c143fbd7af205e3f50af37840019dbc9c9ae194d626c5e50a9a92ff053bfd848 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 490c567342b285e506f8c051cc7708c2b0eb483ec84eca2857405c169f650c9a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html 07ad978743a37206c1994103625388ce4aa7d22fe4537d8a019112c1e2579b6d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html ac87905f46bb9d1e53c7e9cf26b780b91b75bbb5fccc394eaa31824bb62d3aec 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html 805c79ae48171169dba22be10520a9bb804adad6cfc3b56335af84d7829e536d 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 28d8acdda40d325312ece02d939a168b69d45a269f2c700edd3b2cc50b542e97 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html b071616be1449f09ee8c312114e7dd0493f6e9aeedd51849061bcacf0d0d667f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html 3734ce24fe8a7f88d856faa5b11762b6a18728fffad1e22273831cbf7f26cb7f 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html cd4b9b45e327de89fb7685e4c24c5d9124dfdddad761db8543303560ffede7a2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html cf83e504cf3ebb88a7001e132d3ef971ccc7a86b825f18aecedc3c86fad41525 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html eab42334ab11c7f4b0b0373d9e059d8d7a4a033ce938f46ed30e017ce58dc358 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html c0dc864d67a58018ac83e64750a1421288a0893532d1febf84bbaee914dcea13 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 0b450e03600808823a7fd9264c577d355675e0bb64162990e8775cd13b64f6e2 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 665203abcae68ade9c469cee40b27435f23e21a09637f6050c23849d276fcc4a 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 62a181bd6ee23aa15aebe1fd40ec44eaa65b797a87e5780c2a5ea38ef6658044 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html d880408d50bf6a8ad05f870137832bf967a4d340b9c5a44ff1f0bfbb05eea81c 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html e2d96c051e4a6206c9a3a27ab52496c1cc54d167838a0066154c4174ebf38ec0 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html b3f96912ea645e896e83d5a2f0b9c6ac8008ecf3b69ccb08bb6ed85be378da04 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html 9fc885c7b9940a17d5be2e32f4eef7c9d1c1d1ab2c0417f0982fd08230dde53c 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html 70c7520d773a3bea678e48842980f7fcf326887c33e4f67a57b6805cadf8d0c3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html efb2a126f09788fcec4366c30a6c22ee19285cf9f16977661195aa62307678fd 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html 089552bdba928dbdf02330de0958ede6794e7d3701ebed017cda60701a21deb0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html dfbd4b22be00b2f66024bf74df7040fd4c5044aae38c20d6b74f19794d935a07 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html 5a0b5f9ae3e8f8a06ef633117fd88bdca937bf16fd5775e775bb13804a6af228 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html 109bf0c17520e2798965273ed9607d88e005c514d8a9aea7624b65d3aa7c5c55 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html f3063f386df8386a939b4753997e730afc35e088467c86cc07ba6c1469437d01 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html 9052516d0992bfa97c3f9e067c32f1c9b9c29730ca46b7882690b4109ccb40f3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html 9fc7f8a265cb7fcad7563798c33b8661e655e934c85dbcf14c459bf2b0f2b8db 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html bb1bddb0221d71c60d789ce9ada6a74bf247b43249e7d6d361db506ba1846a54 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html cf1e43b3525eafac426509fcb2f224d8b1c00f14652caa64ec60a0fd86215421 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html 50ef3a71e778b3b1f92823504646e983e754e9e064bd15d71e289083b6868ce3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html 7cc94f2408fde9c30644193f710364270555debf28589943202d094b860dc063 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html 184b5a61e7990c8eb5e23adfad14a164be6144d46ff4f3c58ba71e389f339a51 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html 76af984e269ca0182704664b39267baa5c6e644fe3d2f8d9d8e081dc49478837 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html 489d20d1ac97199c5d823ca7128860e0df5e5e87fbe8d61b8f13da26c58ad8a7 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html 5cec61df419a85ccc332f9656a9859fd7dce09de57db848ea818b230bc4cf788 2
@@ -968,5 +968,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html 278e746113959c71e9bdc562664723a1ed3c0e3d24e64c99dddff89ed49d63f3 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html cc30125d29862f94bc303edfc07f7a2434efcda62123816a388042b7b12eabf7 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 38e02f2b3d2fcbb1bcf144bc97f38dac5cd9d26759016df0cb6014838911d707 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html 1e18be5147d2ea43c102b517b510189b95a42b63ffb0e45af4bef7cecce72b1b 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 6763d16881d228f926fa7cd9af74616cfb6065f146bdfc7a1a79dd3bb01606f0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html a681ab998eb6617f1c8486527a5eade4150dfb715195251b50be6b7b55a74c71 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html a20f8865f87ddebb117dfa769ec6fec4126e07638132303cb64087a57d7c64c2 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html 2e67952fbef7655a0cf3aaf5dba4befc7e790a7de66fe947cb79ea4a2af6837a 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html e6edb96c3e4e6b9dd07d95dcc063427f259e017f8950e30118f486327f338241 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html 96ab68a06323ed4f6952c3a3b6330314d8a25e0a40a480bcdfce924fa3572ba9 2
@@ -974,3 +974,3 @@
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html 66f0057d98ab4ee083776d472b4e595123fd30269c574fb795629a538f1ff808 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 5f8b410e9926810b335f502cea229a767094eb0f502d718e91ab87538d70ade1 2
-/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 19365870307e18cfa3192d57191deecee689bc0a38a200b2bdcd4060a7763cf0 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html eb70536a778d7194b2350e3e42a1c46754dfb2c790c8407f27005d94fae3fc71 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html 62fb968bc62418044bedd2fe8fa7ba120851035bfb0546264d4b75db93a262b3 2
+/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html 849565488c4b231dc068d3145f9b6d8d4ad15b2ebda5ac86747713c29ce8f70e 2
@@ -978,2 +978,2 @@
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html 4c40ccb019b2af2ec0a2b2e83474fbf5241c6d457357b4a9529e32728fa61a8d 2
-/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html e3b30bba6bac2963f54fd2247002586eab6d666175c8e6d3f43b3596acfdce2b 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html bf16e45964ece555862c67c6c329f17ddc6ff0fe78dddc1d3f4716070cf4359e 2
+/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html c2937862e09d6105e2526996db259004e31a1601a623c4641f083149e9cbd95a 2
@@ -981,2 +981,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 5956c6fc22075f6b5acb250b1a117efacb6d3d52e595f4bbaaf28d1af8d20c94 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html aa6661906b07fe717f86ed7068e4c15e272d68cb461687cdcf4e4416243aa366 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html 1caa47c1f2b70af2540564050dafcadef4dd900b7faa53e0bcf64132b086a68b 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html 42675981c193ef43d2adb451e27c55d9ccfdfc5e865c14de1deb8eae575e3563 2
@@ -986,3 +986,3 @@
-/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 32ffff1581e1da5c29952ec7a32e070073a8998bc520619774a4d55187161a04 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html 01aea0dca0736c85b30f65a154820c3792a60fe10c85f7f7803e90ce51e5916f 2
-/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html 871d93b7e9e9f36b1fea1ebdc655966a932e7ae7f7e746d4d28d86f76ee1b541 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html 6e69f612aa68e63b370f5f8f13fa51eb126ed31301dd7feb2dccfa040408ace0 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html f44444d297ceb58bb5b1c5acdca7b0ddfe8c640cac804b8fe4972054fed03225 2
+/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html ab1b7c42a6e694ba33046327ee354b13ed5cb8cbe7ce140fa4d150d1964b9a02 2
@@ -992,2 +992,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 2707616bd58b2c88f11317b0e4bbfa9907511d20eac5256e528e0fedc223f839 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html bbf5a5786e1e45f1f66f215859ab3fec820376583b19245409ea095fb237d54d 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html 1e7af9947bc9c943bf5b5c89f2dd49f5dd547895626f680a0e617ce69338c5d0 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html c5582dbbfd7039a355ef727565855c864fe558f235dda24fd6f1c6943adcbd52 2
@@ -997,2 +997,2 @@
-/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 5c647b24421a7fe9824f0bbaaae3407e343cc974c315eee6162a00e95f9c86b3 2
-/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html 34e74864fd63c6607cdfd4b6562e41d2da5816aaf7d1270d166824911c68f8ce 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html 8e4f1bae7468a20b5bb0928382f7d93f3f59b657ca00feee8719edd7581af205 2
+/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html abb1a12508c21263dc5328d53caf893d886398febfca87b6432493e6d0cb7d43 2
@@ -1003 +1003 @@
-/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html aa70a2ae7043da1196c2d6bceafb0be341ec5b4d9afc1edffd3ec99ddeac7686 2
+/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html 39ccc9598b4a740f642a41c3e9522167d2a03953ed40d81ea66b74ae8d60273f 2
@@ -1008 +1008 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html 8240814f7aa4615b06a8477eab60c3cb140d7d78a99d8710bc8f130fb1d6adf4 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html dee4ceade82a9f15dcda394729fa1b7bf51f837ce456748d72f4ca05c2e750f6 2
@@ -1010,2 +1010,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 7e92315cedec949127b2f581ebd2ef0859cd8a5f39ca4e4f3b68536e9bd02873 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 06277cd74bb54cf064d2220608b2db17fa706468bd8a386dff26b08c79b569c9 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html 5ec0d4818c9543f068b3b6b70b80cc40841518b91b76819cf1f330bfecf3ef46 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html 7c0daaff335b9651b747db7c95a3021bffb29724c1df9742092a459c75e3be9b 2
@@ -1016,3 +1016,3 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 2f46ad0616656458392a5bdf14b4d2fc2d7cf08d8056f2c7422da4155eca868c 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html 4d27feba4ed526c5d22f44f9966d0184f0ff1908a2b407945a3d5142b407f0be 2
-/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 583a1ef0553146ab4c384738c04cf7a22ce86fea03df6243966d2fed789f97a2 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html 614302ddf03c964b79a44f5709512d668bf7c4b7b2273f4a3276c0340478d401 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html da70a26f39af73a2bbf5915324daee66f4979b3f9b6a87468b5a4cae3667c738 2
+/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html 3c8f4f599936320a169661ee973c4806d943e0adeb9a179841845dd1acd9e9db 2
@@ -1028 +1028 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html 892267e25957daca0cc0c7f01048c1417e6fb9ae592afba7c1fa8f9b5f332a5e 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html b335c029ad47b0fc32b11fb8eb879566732a0387f8d78ef66060291324ff690c 2
@@ -1030,2 +1030,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 61f5a2c13afd31e974275ed3c729391b87f4b170fcd187ce5d883481a677be66 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 9b60a29fcf69c36bb60dba10f3453f0e4019f4caf8b8ad68ecd11c029ef9e730 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html 059b902f5d36b3adf8a7af918fbf5c009e7f1d6b7f23eb045251be7f3fd0a6a5 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html 46e9ffdda7309557b26574f7359022bcdf5ce4ce103d06927dcc0e4c72706cb7 2
@@ -1035,2 +1035,2 @@
-/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html c2c7fa819919046d7bd4cdde6bb2b37bed5a3e0d76c7c78657e1cb094d12c9b7 2
-/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html a2a0093cc3b826af130985fb7148161099de0718eef4ebd901a165111731b4bc 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html c89fccc95466ceffa6f86c656980d2dd8aaa3752c989014289dddcb04f926529 2
+/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html 2c929db27186a68650392609ffaa630d5c37ab682a3ebf612d456ca79346dc56 2
@@ -1424,2 +1424,2 @@
-/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml ba8f5dcd073944e2e942ba2400b5ef0be0328e336b21c7fbbe37fbb9fa54b8b3 0
-/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml fb8ddedc0f8bb3e482ab924219d2095e0dd392ae7a81e9e58de0910343384d9d 0
+/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml 6af72e8a8fb86e27c4125b2d4b15bba959e77524e784ee0c6c105baab2c99039 0
+/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml 99aae09c985f4e4a35b2772d9337e2da42a5af2ec4ec99c999412fdb25a2c6c9 0
@@ -1429,9 +1429,9 @@
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 4069f93fb8cb5dcebc779071012fb2aeda763aa21bce689161dc4357e3be6a48 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml 6b4346b2fbb1e96cf59d68539a51614fb2cf262e2d44483ccb19eedbbe11862f 0
-/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml c12efc7af00a7ec56153209202992d66a2f378d5279a0ffc1cf7fe454c79ad10 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml b12dd8eddd6be7e7a9a33813b574f2f60b3fd62774a4f789b28a52b2c598706b 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 01c11a6ac4fdd7be761d358ea9d8136ac2a0e98e2a20b4a5c6561ce134e13bea 0
-/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 0630b7fd65bfcbeb54ea991df1c5a92ec8cd3e3673195fb9f009eb6f1078074d 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml e6de093134cdbff754534f1a088be5a56827a1270aac0c1f2266e3daf2843292 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml ecf4031a75659ab738c8f74440619166c844330ee0245a5a0438b0ff97a44461 0
-/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 39f0ea1c12c43982e891cebe33172af8d1dc4c6ea6da1aa3839cb9e3d31db56d 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml 0c66a07e0aa90bc1de2b491be29ff62b549f20f4ee3d371efa112c6cb9746e86 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml a7f7f06b57af6f92edcf81a4975c7aaabd376036655bf44ba7d3d1e52a389835 0
+/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml 24b4a7684cbd940a80094bcc072905e68ab9983156b5f12d89f7a6c38793ebf0 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml 8d69ce663256a07516840eab5658c45029d8dc1e2da95ec3c88f928918e61cd5 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml 8469853049b622215d27a5e4c916b39de8853467ed2c5c52dcb6f8741080efbf 0
+/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml 6a64d2c8b4159882146b452656fe3805d812e8c42c60ee0c5663311e62502768 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml 5af13a4ca11aeee4d1c1703f56294e6e1cf599a04e4e0acbfeeb5f76539c1af0 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml 21fbcf3c128c02fdc90c526e451ceb2070b6c733487875e919ed9369aad9c674 0
+/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml 16bf4bf84a82b763c4e83f7496d8c126aaef0ff4114afd8c284154ca67b022f4 0
@@ -1440,3 +1440,3 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml e0d7bf17ae3833116f6beddb157c2a660366208f45dca4ce156b38a736d73af1 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml ea67d4729b88870c7bd98bc4fcfa66414bdc7ba0ead87d4d10da8891c980cbf7 0
-/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 5a9a35b1be79fa58d5029e14227bd2324ffd67d34eadc3cf7b8500b45eed6fa9 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml a4a777d86abab1d1054873216206284b9e61e583016374a7dd83789043426c71 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 0e558df791d82527634b074d491d2777152fa7dfa3cdc34429072ae26dc66a33 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml 2e1848d4bbaebb560764e0f55ed8f0db95cbece5cf3ac984ab57f7c62c60014d 0
@@ -1444 +1444 @@
-/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml f05c12c02b925975613c17e27c62decfc5c835cd7abd49401f75835c37009154 0
+/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml a0f5e1ff726ac2704c5ae639af732d39f8f10764ee6da4ebef1dbb202757530a 0
@@ -1447,3 +1447,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml 949c6c43f344254f17fba0339fd8c481068bee694cb31157438e467778a2bd8a 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml f772f4678befb356b65eb4eaef084e52bea291cf2dff4faa9a1a30b0e8307c92 0
-/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 6389bd2f22326fdf394e6ea0d4008314207810cb0bfe3a53ff902846da196f6d 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml eae9a11303386e5fe5e47f108dea209c036f44d56f6cfa815ee2dd34cf9584bf 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml f59060f2b71cce8370796823503d93ff9eb9eaf10d9ec0f8ca87ad3b46fa6d09 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml 83084e22ce7182ce3ff66b661225ee6ae467404312155430e783e83a88ff53cb 0
@@ -1451 +1451 @@
-/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 2568a9e77e143cbb56e63904cd4f37dc30e210dbf2a1bd74b9717b2f7acf8a94 0
+/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml 6a63de1d83708f0619f9d2209f18b2831a4be1e647770199e6b7eaf27cd368d2 0
@@ -1454,3 +1454,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml c3b875b3ffab7a099fba1e11f8123bb4eae02b1c02877f6a566d93e44031fd23 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 02ec4c99ad07dce6b846b8c31daa3975a828395240394d2f1457c956cadc4621 0
-/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml f13f0c15b2993c8ef24967195da9737139a60b42d57693fd903689834f7a1ab9 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml 2728624ada13aeba662104199fbe4792fc78a6b912cd542f55f616c9dc62f2b5 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml 2fade550239d13fe8b0e0d4a193d8b436d32c0b162e99baea5402bb48ca22c71 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml 0b94262971031a712702f509e53083247db1b960a7b9afcd6d56a307c1c54b3e 0
@@ -1458 +1458 @@
-/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml dcdef1e8f0ad42555fade58aaaf040103ca80628a4e0fd08c5be09a51222f6a5 0
+/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml 9b36e6a26515d24f570069841d84bd047542f59dabb1f19630152d33e61b63e4 0
@@ -1461,3 +1461,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 5694ec162a5a38844688906f417bcfca6d5ad454bd49fb3eb3a54dea9fba80b1 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 83bf701a44468db18c6c50e4dfef103a0914ab2459a6b1f6d8b78da86d6441fb 0
-/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml 408bc4db4a05c9fc183d899f9fda8cb50d5c62f3cd34744bf05f9950cfc623e0 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml 6da244b3faa8dd63edbbeafc0f404d71377b1956a514f5e7499dcd35a85a7b7b 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml 5a1cea06a15d66a00cdfbb3db6c9361eb8c14d9721c3f94d8c02ca2736a2368e 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml d9f4ef756504431dab1ca7d8445d985c6d852ed48c17f9fa997e23f0db0d1156 0
@@ -1465 +1465 @@
-/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml c3ecc6ae76306427f381434bc2e5ad5c53bc92b3eb76cb59cdf79ac29b8ac655 0
+/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml 3900eda587ef1953d92acde2b41c507be07cee748d2ffeee6e5d4a3ce70ea96a 0
@@ -1468,3 +1468,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 2a498dc733551c15d6f6eb64ffb6ce15d1cd0c72c3488df7dedee0336ec8ce45 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 9a9efe8a575909adb4ad958ca7b62848be8f4ef1d77496835a2b83f3891fe410 0
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml f1c39423a33bdce91cec11f0b0463ac4b35fc812c114a980bd1cd4012c06f0b6 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml 59920c51e469966305b63d7f2b71429fe18dd9020a4ff20c22b2254c23c3de1f 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml 5a15366af10a8683034fb549d83919b6f228dfccea02aeb33783b07fa8f47948 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml d9e6da6cbdbd6f4d4c82ef9361544837296f035ca7b21bc44af29ff2259fc21a 0
@@ -1472 +1472 @@
-/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 6ff4dccaf7315d5e83fc185a30a43192c4ecc9d27d31ed6414956ab23d5bd1ee 0
+/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml 3196c025d767816bad39e9b35129f43621244227a7793c04e77481d04f08f9c2 0
@@ -1475,3 +1475,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 2d6a14c614ae9585f458d7f12be9311299e8fe760c99e3b2abfba333f376ba38 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml df7d660f17a1243f5bd3e6a305485ac1b6b51a2893ca1c62c721af840ae744eb 0
-/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml b30b3150beb5c48f1c201cd47010af37badb039c9e6fb5090bf4cebb0a05ac93 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml 3e129df86995e821d04b12f1b0729a8617de94c922cdee6e0fb6c8056fb4fc38 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 35a3c82eb7dd8e3e7f0b7d9e39daffe8d605e6ba3a5392ad23ad04055a282c6e 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml bc461935944b53f236b11251b4e5fda1efa6d83aa87eefdcb54308e31b2e0470 0
@@ -1479 +1479 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 9da6ab38ae16801acffa544db16d1b37875a8ac02d913c928115e621a27c028b 0
+/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml 737dcb9b8fe3cc32c57a69c10b9acb993bb4f4c8e8022c55121abaf6fd042043 0
@@ -1482,3 +1482,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml 50a00c7377a35cfc8dd920a2e26fadf74984f0ea919f4c67b7b6ea321d2ba73b 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 31fa5b3d353e730be9e04d5f44c2f47abadd42965a2e7dae415dec5550849f2a 0
-/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml b7c2b93325073d96b72ee78839a86346ec8205ff765de2d58594700c10dc9430 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml bb3b6bcaef8b751980da7bb49e1383310913691204a839274e236deac57fb273 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml 596750fdb0c2ea80ceb915bbf51cd90f3be1ccc5897b2c526e316da988325938 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml 82b2070c5d3639377892e2b0a1e12311ef5eecd690c710811e2dcc73f8fb3ca1 0
@@ -1486 +1486 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml 037762a9b57d68fa8f44a820ea805dd62c83db251bbd9978781bfdc4412d74ea 0
+/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml d25c5aa27dd6f59df6d444bbf96003b6431633188ed1d4f654a28fdfb2282d00 0
@@ -1489,3 +1489,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 12598057c838812d3ffa2f830b48c79954bf643f597f7c4147eb9924e5f0e78d 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 9850d18a48ce4230e77dd23fb7ea8db829123b450612d1a93fbd35cf89f6601f 0
-/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 3d4efe6a4fa2bb47a312ead68b52c8284ac143455bbe8f9dedc5f1adb9c57056 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml 7a5fbe14eed83881383539e76ab8c673616244ab67831c5c2786e6e8d55a36bf 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml 5ce0f2eac6d34919a547aa7cd950f74b2592559e83e25e4e34084e9f60c10901 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml 43e09f08570335fea32bc29d4ba4b26506d0d8ddfa28dc580638fa07f9e77cdb 0
@@ -1493 +1493 @@
-/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 8aa5b0b8bd6c5361f8f7da52e21ce79fd008ec9733fb87e7fc2f964ea1573402 0
+/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml 879f59fd2d4deacbf5c1211bfcbb0c563b785360b7d61a05efd7d19ec6a46a92 0
@@ -1496,3 +1496,3 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 52243e0663856c2670e472c5f95c559cf740aadbccb4bfdc77fe19d5405f262e 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml f9f81de3e875ec30ba933b367306fd3ae570bbce67730650d56c793effc27108 0
-/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml 500aa74c296a93ba0bd5afdc10a2af50c571d09f56d4ff26ec13271caa762251 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml 44a44cf0b7109fe469672e80346bf7bb5b8b079ce0373bebd3895a9f6384abbe 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml 3e4814b5b77f8c87e7e4e84f5d6ec5c7e831add319c97420980da109fa49ec05 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml aeddfd973e73e1d41d15051d9038b14049a5f6df3e899121a3865395cda1b97c 0
@@ -1500,4 +1500,4 @@
-/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 1cf53cfe1e443fd00954222a81c5be52846ac73d6e99a41917e10f6ae8d8b928 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 1ec6abe8d170bd5c22726593d70bb7965daea45c3792bd1365a3b5d002185d99 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 97c187f17ce408a9b13e95a9ba4b1a038843cf45fb02972822671eac7ec4f239 0
-/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 0220a4352e9824bf279d8174398fbdf664f8842cd3162b671c4ff51d068386de 0
+/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml 44df211e11e7d14afacf6c98836f42bb4079e6bf7a8c5576232b4b7a8abbe23e 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml 2f29f523c55106ef9cbe8fb3fc60af6c9253beeafc05ca5d0ceecfe425156c7e 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml 953dca73aead69201cabe588f51fc242f30609fb82ef44de467839f0bd7eb4de 0
+/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml 46025394bde1f1885a80ac070ccd0c11f78391d9f8a2be9ceaaadb56bb2fd2cb 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-C2S.html	2023-07-27 00:00:00.000000000 +0000
@@ -84,7 +84,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>C2S for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 101 groups and 234 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -138,7 +138,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -155,19 +159,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking"><span class="label label-default">Rule</span>  
                                 Configure Periodic Execution of AIDE
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">At a minimum, AIDE should be configured to run a weekly scan.
@@ -5637,7 +5637,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -5654,20 +5668,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="guide-tree-leaf-id122" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"><span class="label label-default">Rule</span>  
                                 Ensure that System Accounts Do Not Run a Shell Upon Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Some accounts are not associated with a human user of the system, and exist to perform some
@@ -28557,7 +28557,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -28881,20 +28895,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id215" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -29246,7 +29246,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29563,20 +29577,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id219" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -29940,7 +29940,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id221" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id221"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id221" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id221"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 69 groups and 229 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -574,7 +574,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -588,19 +592,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id72" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -7694,7 +7694,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7711,20 +7725,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -28506,7 +28506,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id259" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id259"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id259" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id259"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id260" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id260"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -28827,20 +28841,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id260" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id260"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="guide-tree-leaf-id261" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program
@@ -29191,7 +29191,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29520,20 +29534,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 70 groups and 285 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -896,7 +896,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -910,19 +914,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id82" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -8016,7 +8016,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -8033,20 +8047,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -28828,7 +28828,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29149,20 +29163,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="guide-tree-leaf-id271" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program
@@ -29513,7 +29513,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29842,20 +29856,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 55 groups and 158 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -450,7 +450,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -464,19 +468,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id65" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -7557,7 +7557,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7574,20 +7588,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -8547,7 +8547,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8624,8 +8626,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id176" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -8659,7 +8659,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8731,8 +8733,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id180" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -8779,7 +8779,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8857,8 +8859,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id184" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -8895,7 +8895,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id187" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id187"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8967,8 +8969,6 @@
   - medium_severity
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-anssi_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 26 groups and 42 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -7089,15 +7089,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
 
 class remove_dhcp {
   package { 'dhcp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -7163,15 +7163,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -7238,15 +7238,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -7289,15 +7289,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id121" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -7338,15 +7338,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -7390,15 +7390,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id131" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7437,15 +7437,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -7478,15 +7478,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id141" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -7522,15 +7522,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
 
 class remove_talk {
   package { 'talk':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_telnet"><span class="label label-default">Group</span>  
                 Telnet
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a>  
@@ -7583,15 +7583,15 @@
   - low_disruption
   - no_reboot_needed
   - package_telnet-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=telnet-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
 
 class remove_telnet-server {
   package { 'telnet-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=telnet-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="guide-tree-leaf-id151" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_telnet_removed"><span class="label label-default">Rule</span>  
                                 Remove telnet Clients
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 110 groups and 329 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -472,15 +472,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 7 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -890,7 +890,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -904,19 +908,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -26052,7 +26052,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -26373,20 +26387,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="guide-tree-leaf-id293" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading - init_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To capture kernel module loading events, use following line, setting ARCH to
@@ -26737,7 +26737,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -27066,20 +27080,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_audit_login_events"><span class="label label-default">Group</span>  
                 Record Attempts to Alter Logon and Logout Events
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_audit_login_events">[ref]</a>  
@@ -29714,7 +29714,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 99 groups and 263 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -472,15 +472,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -815,7 +815,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -829,19 +833,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id60" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -8726,7 +8726,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -8739,19 +8743,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id267" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
@@ -8770,7 +8770,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -8795,9 +8798,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9065,7 +9065,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -9078,19 +9082,15 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=firewalld
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
   package { 'firewalld':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=firewalld
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="guide-tree-leaf-id281" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"><span class="label label-default">Rule</span>  
                                 Verify firewalld Enabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -9109,7 +9109,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 92 groups and 256 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -472,15 +472,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -815,7 +815,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -829,19 +833,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id60" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -8726,7 +8726,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -8739,19 +8743,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id267" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
@@ -8770,7 +8770,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -8795,9 +8798,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9065,7 +9065,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -9078,19 +9082,15 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=firewalld
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
   package { 'firewalld':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=firewalld
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="guide-tree-leaf-id281" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"><span class="label label-default">Rule</span>  
                                 Verify firewalld Enabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -9109,7 +9109,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 107 groups and 326 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -472,15 +472,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 7 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -890,7 +890,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -904,19 +908,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -26052,7 +26052,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -26373,20 +26387,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="guide-tree-leaf-id293" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading - init_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To capture kernel module loading events, use following line, setting ARCH to
@@ -26737,7 +26737,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -27066,20 +27080,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_audit_login_events"><span class="label label-default">Group</span>  
                 Record Attempts to Alter Logon and Logout Events
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_audit_login_events">[ref]</a>  
@@ -29714,7 +29714,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
@@ -78,7 +78,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 47 groups and 102 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -467,7 +467,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -484,19 +488,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id35" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -3796,7 +3796,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -3920,25 +3939,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -16317,7 +16317,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -16641,20 +16655,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -17006,7 +17006,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17323,20 +17337,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id164" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -17700,7 +17700,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 50 groups and 103 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -160,7 +160,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -184,19 +188,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -5477,7 +5477,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -5492,19 +5496,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id87" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -5540,7 +5540,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -5603,20 +5617,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -5670,7 +5670,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5704,20 +5718,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id97" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -5744,7 +5744,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -5762,17 +5773,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 46 groups and 94 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -825,7 +825,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -841,19 +845,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1424,7 +1424,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1548,25 +1567,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8695,7 +8695,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9019,20 +9033,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id111" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -9384,7 +9384,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9701,20 +9715,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id115" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -10078,7 +10078,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 54 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1324,7 +1324,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1387,20 +1401,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1454,7 +1454,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -1488,20 +1502,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id60" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -1528,7 +1528,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -1546,17 +1557,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" id="guide-tree-leaf-id64" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot"><span class="label label-default">Rule</span>  
                                 Verify that Interactive Boot is Disabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Red Hat Enterprise Linux 7 systems support an "interactive boot" option that can
@@ -1820,7 +1820,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1944,25 +1963,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -2014,7 +2014,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ncp.html	2023-07-27 00:00:00.000000000 +0000
@@ -101,7 +101,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST National Checklist Program Security Guide</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ncp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 105 groups and 385 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -490,7 +490,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -507,19 +511,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id35" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1063,7 +1063,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -1087,19 +1091,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id56" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -13237,7 +13237,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -13252,19 +13256,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -13298,7 +13298,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -13311,19 +13315,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id239" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id239"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id239" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id239"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id241" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -13340,7 +13340,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id243" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id243"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id243" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id243"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id244" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id244"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -13353,19 +13357,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id244" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id244"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id245" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id245"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id246" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id246"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id245" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id245"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id246" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id246"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id247" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -13391,7 +13391,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id249" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id249"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id249" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id249"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>OSPP - Protection Profile for General Purpose Operating Systems v4.2.1</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 50 groups and 103 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -151,7 +151,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -175,19 +179,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -5468,7 +5468,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -5483,19 +5487,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id87" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -5531,7 +5531,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -5594,20 +5608,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -5661,7 +5661,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5695,20 +5709,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id97" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -5735,7 +5735,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -5753,17 +5764,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 47 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -463,7 +463,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -480,19 +484,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id35" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -6737,7 +6737,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -6861,25 +6880,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_auditing"><span class="label label-default">Group</span>  
                 System Accounting with auditd
                           <small>Group contains 9 groups and 41 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a>  
@@ -19135,7 +19135,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19459,20 +19473,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id175" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -19824,7 +19824,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20141,20 +20155,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id179" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -20518,7 +20518,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>RHV hardening based on STIG for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhelh-stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 100 groups and 377 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -585,7 +585,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -602,19 +606,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1158,7 +1158,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -1182,19 +1186,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id59" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -2048,15 +2048,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gdm_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=gdm
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
 
 class remove_gdm {
   package { 'gdm':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=gdm
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_sudo"><span class="label label-default">Group</span>  
                 Sudo
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a>  
@@ -9352,7 +9352,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -9367,19 +9371,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -9413,7 +9413,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -9426,19 +9430,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id181" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -9455,7 +9455,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -9468,19 +9472,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id185" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id185"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id185" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id185"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rhelh-vpp.html	2023-07-27 00:00:00.000000000 +0000
@@ -99,7 +99,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhelh-vpp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 48 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -7376,7 +7376,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7389,19 +7393,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id110" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7418,7 +7418,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7431,19 +7435,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id116" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7469,7 +7469,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7507,9 +7510,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -8350,7 +8350,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8474,25 +8493,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8601,7 +8601,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -8618,20 +8632,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 38 groups and 68 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -131,7 +131,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,19 +152,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -4148,7 +4148,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4272,25 +4291,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -5093,7 +5093,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -5124,9 +5127,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
@@ -5209,7 +5209,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A
+        mode: 0644
+        path: /etc/modprobe.d/dccp.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
   lineinfile:
     create: true
     dest: /etc/modprobe.d/dccp.conf
@@ -5254,20 +5268,6 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A
-        mode: 0644
-        path: /etc/modprobe.d/dccp.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" id="guide-tree-leaf-id129" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-uncommon"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled"><span class="label label-default">Rule</span>  
                                 Disable SCTP Support
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Stream Control Transmission Protocol (SCTP) is a
@@ -5301,7 +5301,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'sctp' is disabled
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A
+        mode: 0644
+        path: /etc/modprobe.d/sctp.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'sctp' is disabled
   lineinfile:
     create: true
     dest: /etc/modprobe.d/sctp.conf
@@ -5344,20 +5358,6 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 28 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -905,7 +905,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1029,25 +1048,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 group and 1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -12931,7 +12931,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13255,20 +13269,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id103" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -13620,7 +13620,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13937,20 +13951,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id107" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -14314,7 +14314,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14639,20 +14653,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_stime" id="guide-tree-leaf-id111" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through stime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_stime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -15020,7 +15020,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -85,7 +85,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 103 groups and 276 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -594,7 +594,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -611,19 +615,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -13549,7 +13549,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -13564,19 +13568,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -13612,7 +13612,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "pam_pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
   package:
     name: pam_pkcs11
     state: present
@@ -13630,19 +13634,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "pam_pkcs11"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pam_pkcs11
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
 
 class install_pam_pkcs11 {
   package { 'pam_pkcs11':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pam_pkcs11
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="guide-tree-leaf-id232" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_smartcard_auth"><span class="label label-default">Rule</span>  
                                 Enable Smart Card Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_smartcard_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable smart card authentication, consult the documentation at:
@@ -13872,7 +13872,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -13890,17 +13901,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="guide-tree-leaf-id242" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_require_singleuser_auth"><span class="label label-default">Rule</span>  
                                 Require Authentication for Single User Mode
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_require_singleuser_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Single-user mode is intended as a system recovery
@@ -14424,7 +14424,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -14548,25 +14567,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
/usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos7-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -91,7 +91,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:7 is applicable to this Benchmark">cpe:/o:centos:centos:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 101 groups and 275 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -600,7 +600,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -617,19 +621,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -13555,7 +13555,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -13570,19 +13574,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -13618,7 +13618,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "pam_pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
   package:
     name: pam_pkcs11
     state: present
@@ -13636,19 +13640,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "pam_pkcs11"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pam_pkcs11
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
 
 class install_pam_pkcs11 {
   package { 'pam_pkcs11':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pam_pkcs11
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="guide-tree-leaf-id232" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_smartcard_auth"><span class="label label-default">Rule</span>  
                                 Enable Smart Card Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_smartcard_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable smart card authentication, consult the documentation at:
@@ -13878,7 +13878,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -13896,17 +13907,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="guide-tree-leaf-id242" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_require_singleuser_auth"><span class="label label-default">Rule</span>  
                                 Require Authentication for Single User Mode
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_require_singleuser_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Single-user mode is intended as a system recovery
@@ -14430,7 +14430,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -14554,25 +14573,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 68 groups and 235 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -468,7 +468,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -482,19 +486,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id65" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -984,7 +984,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -995,19 +999,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id98" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7764,7 +7764,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7781,20 +7795,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -32135,7 +32135,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -32456,20 +32470,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 70 groups and 310 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -785,7 +785,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -799,19 +803,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -1301,7 +1301,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1312,19 +1316,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id108" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -8081,7 +8081,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -8098,20 +8112,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -32452,7 +32452,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -32773,20 +32787,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 55 groups and 167 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -450,7 +450,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -464,19 +468,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -958,7 +958,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -969,19 +973,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id94" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7733,7 +7733,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7750,20 +7764,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -8780,7 +8780,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id189" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id189"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id189" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id189"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id190" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id190"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8808,8 +8810,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id190" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id190"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id191" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -8835,7 +8835,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8858,8 +8860,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>[customizations.kernel]
-append = "mce=0"
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 26 groups and 47 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -246,7 +246,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -257,19 +261,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7366,15 +7366,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
 
 class remove_dhcp-server {
   package { 'dhcp-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -7441,15 +7441,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -7516,15 +7516,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -7567,15 +7567,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id136" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -7615,15 +7615,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -7667,15 +7667,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id146" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7714,15 +7714,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -7755,15 +7755,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id156" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -7799,15 +7799,15 @@
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 118 groups and 355 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -473,7 +473,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -518,26 +538,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1277,7 +1277,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1291,19 +1295,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id77" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9041,7 +9041,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9165,25 +9184,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id200" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -34275,7 +34275,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 105 groups and 279 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -473,7 +473,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -518,26 +538,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1202,7 +1202,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1216,19 +1220,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -8857,7 +8857,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8981,25 +9000,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id182" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -11567,7 +11567,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 98 groups and 272 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -473,7 +473,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -518,26 +538,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1202,7 +1202,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1216,19 +1220,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -8857,7 +8857,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8981,25 +9000,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id182" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -11567,7 +11567,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 113 groups and 351 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -473,7 +473,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -518,26 +538,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1277,7 +1277,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1291,19 +1295,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id77" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9041,7 +9041,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9165,25 +9184,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id200" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -34275,7 +34275,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
@@ -78,7 +78,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 48 groups and 105 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -458,7 +458,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -475,19 +479,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -798,7 +798,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -843,26 +863,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id42" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4272,7 +4272,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4396,25 +4415,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -20372,7 +20372,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20696,20 +20710,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id169" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 62 groups and 210 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -144,7 +144,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -161,19 +165,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -454,7 +454,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -465,19 +469,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -547,7 +547,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -592,26 +612,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id44" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1067,7 +1067,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1081,19 +1085,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 15 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -1109,7 +1109,11 @@
 if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
     yum install -y "dnf-plugin-subscription-manager"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
+[[packages]]
+name = "dnf-plugin-subscription-manager"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
   package:
     name: dnf-plugin-subscription-manager
     state: present
@@ -1120,19 +1124,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-plugin-subscription-manager_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
-[[packages]]
-name = "dnf-plugin-subscription-manager"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-plugin-subscription-manager
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 48 groups and 98 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -614,7 +614,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT:NO-SHA1</abbr>
   tags:
@@ -659,26 +679,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id33" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -972,7 +972,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -988,19 +992,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1624,7 +1624,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1748,25 +1767,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8938,7 +8938,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9262,20 +9276,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id120" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 54 groups and 137 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -500,7 +500,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -545,26 +565,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1474,7 +1474,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1540,20 +1554,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1607,7 +1607,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -1643,20 +1657,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id64" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -1683,7 +1683,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -1701,17 +1712,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" id="guide-tree-leaf-id68" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot"><span class="label label-default">Rule</span>  
                                 Verify that Interactive Boot is Disabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can
@@ -1974,7 +1974,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
@@ -84,7 +84,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 71 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -581,7 +581,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -598,19 +602,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -826,7 +826,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -871,26 +891,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id42" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1060,7 +1060,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1074,19 +1078,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id54" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -1338,7 +1338,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -1354,19 +1358,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -6283,7 +6283,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 62 groups and 210 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -135,7 +135,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,19 +156,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -445,7 +445,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -456,19 +460,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -538,7 +538,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -583,26 +603,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id44" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1058,7 +1058,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1072,19 +1076,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 15 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -1100,7 +1100,11 @@
 if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
     yum install -y "dnf-plugin-subscription-manager"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
+[[packages]]
+name = "dnf-plugin-subscription-manager"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
   package:
     name: dnf-plugin-subscription-manager
     state: present
@@ -1111,19 +1115,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-plugin-subscription-manager_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
-[[packages]]
-name = "dnf-plugin-subscription-manager"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-plugin-subscription-manager
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 49 groups and 125 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -454,7 +454,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -471,19 +475,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -819,7 +819,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -864,26 +884,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id44" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -7078,7 +7078,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7092,19 +7096,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id128" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7121,7 +7121,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7134,19 +7138,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id134" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7172,7 +7172,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7210,9 +7213,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -7732,7 +7732,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 39 groups and 71 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -131,7 +131,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,19 +152,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_crypto"><span class="label label-default">Group</span>  
                 System Cryptographic Policies
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_crypto" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_crypto">[ref]</a>  
@@ -220,7 +220,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -265,26 +285,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -5000,7 +5000,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -5124,25 +5143,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -5996,7 +5996,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -6027,9 +6030,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
@@ -6112,7 +6112,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A
+        mode: 0644
+        path: /etc/modprobe.d/dccp.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
   lineinfile:
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 29 groups and 57 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -518,7 +518,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -563,26 +583,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1265,7 +1265,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1389,25 +1408,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 group and 1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -16777,7 +16777,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17101,20 +17115,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id118" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -17466,7 +17466,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17783,20 +17797,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -85,7 +85,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 105 groups and 396 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -139,7 +139,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -156,19 +160,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1717,7 +1717,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1762,26 +1782,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" id="guide-tree-leaf-id61" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure GnuTLS library to use DoD-approved TLS Encryption
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -5006,7 +5006,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -5018,19 +5022,15 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>
-[[packages]]
-name = "rng-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rng-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rng-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-ccpp Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-ccpp</code> package can be removed with the following command:
@@ -5061,15 +5061,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-ccpp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-ccpp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
 
 class remove_abrt-addon-ccpp {
   package { 'abrt-addon-ccpp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-ccpp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" id="guide-tree-leaf-id165" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-kerneloops Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-kerneloops</code> package can be removed with the following command:
@@ -5100,15 +5100,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-kerneloops_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-kerneloops
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
 
 class remove_abrt-addon-kerneloops {
   package { 'abrt-addon-kerneloops':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-kerneloops
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" id="guide-tree-leaf-id170" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-cli Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-cli_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-cli</code> package can be removed with the following command:
@@ -5139,15 +5139,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-cli_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-cli
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
 
 class remove_abrt-cli {
   package { 'abrt-cli':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-cli
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" id="guide-tree-leaf-id175" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-plugin-sosreport Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-plugin-sosreport</code> package can be removed with the following command:
@@ -5177,15 +5177,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-plugin-sosreport_removed
/usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-centos8-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -91,7 +91,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:8 is applicable to this Benchmark">cpe:/o:centos:centos:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 103 groups and 393 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -145,7 +145,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -162,19 +166,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1723,7 +1723,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1768,26 +1788,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" id="guide-tree-leaf-id61" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure GnuTLS library to use DoD-approved TLS Encryption
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -5012,7 +5012,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -5024,19 +5028,15 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>
-[[packages]]
-name = "rng-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rng-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rng-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-ccpp Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-ccpp</code> package can be removed with the following command:
@@ -5067,15 +5067,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-ccpp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-ccpp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
 
 class remove_abrt-addon-ccpp {
   package { 'abrt-addon-ccpp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-ccpp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" id="guide-tree-leaf-id165" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-kerneloops Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-kerneloops</code> package can be removed with the following command:
@@ -5106,15 +5106,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-kerneloops_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-kerneloops
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
 
 class remove_abrt-addon-kerneloops {
   package { 'abrt-addon-kerneloops':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-kerneloops
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" id="guide-tree-leaf-id170" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-cli Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-cli_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-cli</code> package can be removed with the following command:
@@ -5145,15 +5145,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-cli_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-cli
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
 
 class remove_abrt-cli {
   package { 'abrt-cli':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-cli
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" id="guide-tree-leaf-id175" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-plugin-sosreport Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-plugin-sosreport</code> package can be removed with the following command:
@@ -5183,15 +5183,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-plugin-sosreport_removed
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 67 groups and 230 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -424,7 +424,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -438,19 +442,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id53" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -765,7 +765,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -776,19 +780,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id76" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7405,7 +7405,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7422,20 +7436,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -31599,7 +31599,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id242" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id242"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -31916,20 +31930,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id242" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id242"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 69 groups and 309 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -697,7 +697,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -711,19 +715,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -1038,7 +1038,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1049,19 +1053,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id85" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7678,7 +7678,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7695,20 +7709,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -31872,7 +31872,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id251" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id251"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -32189,20 +32203,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id251" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id251"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 55 groups and 164 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -134,7 +134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -150,19 +154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -406,7 +406,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -420,19 +424,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id50" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -747,7 +747,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -758,19 +762,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id73" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7382,7 +7382,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7399,20 +7413,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -8363,7 +8363,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8391,8 +8393,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id163" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -8418,7 +8418,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8441,8 +8443,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><pre><code>[customizations.kernel]
-append = "mce=0"
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 26 groups and 47 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -240,7 +240,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -251,19 +255,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7163,15 +7163,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
 
 class remove_dhcp-server {
   package { 'dhcp-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -7237,15 +7237,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -7312,15 +7312,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -7363,15 +7363,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id130" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -7411,15 +7411,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -7462,15 +7462,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id140" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7509,15 +7509,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -7550,15 +7550,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id150" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -7594,15 +7594,15 @@
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 112 groups and 352 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -620,7 +620,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -663,26 +683,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2038,15 +2038,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gdm_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=gdm
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
 
 class remove_gdm {
   package { 'gdm':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=gdm
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_db_up_to_date" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_db_up_to_date" id="guide-tree-leaf-id92" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dconf_db_up_to_date"><span class="label label-default">Rule</span>  
                                 Make sure that the dconf databases are up-to-date with regards to respective keyfiles
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dconf_db_up_to_date">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, DConf uses a binary database as a data backend.
@@ -2093,7 +2093,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2107,19 +2111,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id100" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9687,7 +9687,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id216"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id216"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9808,25 +9827,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 96 groups and 267 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -620,7 +620,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -663,26 +683,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1950,7 +1950,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1964,19 +1968,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id80" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9435,7 +9435,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9556,25 +9575,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id195" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -12166,7 +12166,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 91 groups and 263 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -620,7 +620,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -663,26 +683,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1950,7 +1950,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1964,19 +1968,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id80" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9435,7 +9435,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9556,25 +9575,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id195" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -12166,7 +12166,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 105 groups and 346 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -133,7 +133,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -620,7 +620,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -663,26 +683,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2025,7 +2025,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2039,19 +2043,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id95" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9619,7 +9619,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9740,25 +9759,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id213" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -34588,7 +34588,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 46 groups and 144 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -288,7 +288,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -299,19 +303,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure System Cryptography Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To configure the system cryptography policy to use ciphers only from the <code><abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr></code>
@@ -356,7 +356,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -399,26 +419,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure OpenSSL library to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -632,7 +632,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -646,19 +650,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -678,7 +678,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -689,19 +693,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id53" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -713,7 +713,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     dnf install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -724,19 +728,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 48 groups and 98 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -614,7 +614,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT:NO-SHA1</abbr>
   tags:
@@ -657,26 +677,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -963,7 +963,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -979,19 +983,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1584,7 +1584,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1705,25 +1724,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8863,7 +8863,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9187,20 +9201,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id116" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 52 groups and 135 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -500,7 +500,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -543,26 +563,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id27" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1465,7 +1465,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1528,20 +1542,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1907,7 +1907,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -2028,25 +2047,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -2098,7 +2098,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -2115,20 +2129,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
@@ -84,7 +84,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 71 groups and 148 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -581,7 +581,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -597,19 +601,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -725,7 +725,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -768,26 +788,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -847,7 +847,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -861,19 +865,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id47" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -1119,7 +1119,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -1135,19 +1139,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -5988,7 +5988,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -80,7 +80,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 46 groups and 144 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -278,7 +278,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -289,19 +293,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure System Cryptography Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To configure the system cryptography policy to use ciphers only from the <code><abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr></code>
@@ -346,7 +346,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -389,26 +409,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure OpenSSL library to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -622,7 +622,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -636,19 +640,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -668,7 +668,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -679,19 +683,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id53" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -703,7 +703,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     dnf install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -714,19 +718,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 49 groups and 123 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -454,7 +454,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -470,19 +474,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -814,7 +814,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -857,26 +877,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id41" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -7001,7 +7001,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7014,19 +7018,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id125" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7043,7 +7043,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7056,19 +7060,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id131" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7094,7 +7094,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7132,9 +7135,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -7526,7 +7526,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -86,7 +86,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 115 groups and 495 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -140,7 +140,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -156,19 +160,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_check_audit_tools" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools"><span class="label label-default">Rule</span>  
                                 Configure AIDE to Verify the Audit Tools
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_check_audit_tools">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The operating system file integrity tool must be configured to protect the integrity of the audit tools.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Protecting the integrity of the tools used for auditing purposes is a
@@ -1497,7 +1497,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -1508,19 +1512,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id56" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1590,7 +1590,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1633,26 +1653,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Libreswan to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4094,7 +4094,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -4108,19 +4112,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id145" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -4788,7 +4788,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -4799,19 +4803,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
/usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-cs9-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -92,7 +92,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:centos:centos:9 is applicable to this Benchmark">cpe:/o:centos:centos:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 113 groups and 492 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -146,7 +146,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -162,19 +166,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_check_audit_tools" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools"><span class="label label-default">Rule</span>  
                                 Configure AIDE to Verify the Audit Tools
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_check_audit_tools">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The operating system file integrity tool must be configured to protect the integrity of the audit tools.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Protecting the integrity of the tools used for auditing purposes is a
@@ -1503,7 +1503,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -1514,19 +1518,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id56" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1596,7 +1596,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1639,26 +1659,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Libreswan to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4100,7 +4100,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -4114,19 +4118,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id145" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -4794,7 +4794,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -4805,19 +4809,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-cusp_fedora.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CUSP - Common User Security Profile for Fedora Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cusp_fedora</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:37 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:37</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:38 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:38</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:39 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:39</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:40 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:40</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Fedora
                           <small>Group contains 93 groups and 272 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -170,7 +170,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -213,26 +233,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" id="guide-tree-leaf-id11" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure GnuTLS library to use DoD-approved TLS Encryption
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -729,7 +729,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -743,19 +747,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -1318,7 +1318,11 @@
 if ! rpm -q --quiet "gnome-software" ; then
     dnf install -y "gnome-software"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnome-software is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "gnome-software"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnome-software is installed
   package:
     name: gnome-software
     state: present
@@ -1329,19 +1333,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnome_software_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "gnome-software"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnome-software
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnome-software
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnome-software
 
 class install_gnome-software {
   package { 'gnome-software':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnome-software
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_accounts"><span class="label label-default">Group</span>  
                 Account and Access Control
                           <small>Group contains 12 groups and 32 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts">[ref]</a>  
@@ -3684,7 +3684,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -3805,25 +3824,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id97" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -27550,7 +27550,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>OSPP - Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:37 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:37</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:38 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:38</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:39 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:39</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:40 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:40</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Fedora
                           <small>Group contains 62 groups and 206 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -537,7 +537,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -580,26 +600,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id17" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2337,7 +2337,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -2348,19 +2352,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id71" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7288,7 +7288,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -7302,19 +7306,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id136" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -7350,7 +7350,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -7413,20 +7427,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -7696,7 +7696,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Fedora</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:37 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:37</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:38 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:38</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:39 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:39</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:40 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:40</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Fedora
                           <small>Group contains 47 groups and 121 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -445,7 +445,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -461,19 +465,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id17" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -805,7 +805,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -848,26 +868,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -6506,7 +6506,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -6519,19 +6523,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id108" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -6548,7 +6548,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id111" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id111"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -6561,19 +6565,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id111" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id111"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id114" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -6599,7 +6599,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -6637,9 +6640,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -7153,7 +7153,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-fedora-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Fedora</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:36 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:36</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:37 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:37</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:38 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:38</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:39 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:39</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:fedoraproject:fedora:40 is applicable to this Benchmark">cpe:/o:fedoraproject:fedora:40</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_FEDORA"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Fedora
                           <small>Group contains 39 groups and 76 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_FEDORA"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -621,7 +621,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -664,26 +684,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id20" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2102,7 +2102,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -2223,25 +2242,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_netrc_files" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_netrc_files" id="guide-tree-leaf-id57" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_netrc_files"><span class="label label-default">Rule</span>  
                                 Verify No netrc Files Exist
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_netrc_files">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>.netrc</code> files contain login information
@@ -2316,7 +2316,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -2333,20 +2347,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" id="guide-tree-leaf-id64" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins"><span class="label label-default">Rule</span>  
                                 Restrict Serial Port Root Logins
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_restrict_serial_port_logins">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To restrict root logins on serial ports,
@@ -13695,7 +13695,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14019,20 +14033,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 69 groups and 223 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id22" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -525,7 +525,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -539,19 +543,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id55" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -42446,7 +42446,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id310" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id310"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42518,8 +42520,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id310" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id310"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id311" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -42563,7 +42563,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id313" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id313"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id313" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id313"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id314" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id314"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42640,8 +42642,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id314" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id314"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id315" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -42675,7 +42675,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42747,8 +42749,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id319" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -42957,7 +42957,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43035,8 +43037,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id329" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -43073,7 +43073,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id332" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id332"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43145,8 +43147,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id332" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id332"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id333" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -43193,7 +43193,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43272,8 +43274,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 70 groups and 277 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id22" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -847,7 +847,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -861,19 +865,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id65" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -42768,7 +42768,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id319" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id319"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id319" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id319"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42840,8 +42842,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id320" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id320"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id321" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -42885,7 +42885,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id323" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id323"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42962,8 +42964,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id324" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id324"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id325" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -42997,7 +42997,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43069,8 +43071,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id328" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id328"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id329" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -43279,7 +43279,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id337" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id337"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id337" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id337"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43357,8 +43359,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id339" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -43395,7 +43395,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43467,8 +43469,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id343" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -43515,7 +43515,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id345" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id345"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id345" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id345"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id346" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id346"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -43594,8 +43596,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id346" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id346"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 55 groups and 158 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id22" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -405,7 +405,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -419,19 +423,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id49" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -9552,7 +9552,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9629,8 +9631,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id156" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -9664,7 +9664,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9736,8 +9738,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -9784,7 +9784,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9862,8 +9864,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id164" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -9900,7 +9900,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9972,8 +9974,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><pre><code>[customizations.kernel]
-append = "slab_nomerge=yes"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" id="guide-tree-leaf-id168" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument"><span class="label label-default">Rule</span>  
                                 Configure Speculative Store Bypass Mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
@@ -10020,7 +10020,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><pre><code>[customizations.kernel]
+append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10099,8 +10101,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><pre><code>[customizations.kernel]
-append = "spec_store_bypass_disable=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options">seccomp</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" id="guide-tree-leaf-id172" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument"><span class="label label-default">Rule</span>  
                                 Enforce Spectre v2 mitigation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
@@ -10137,7 +10137,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>[customizations.kernel]
+append = "spectre_v2=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10209,8 +10211,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>[customizations.kernel]
-append = "spectre_v2=on"
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-anssi_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 26 groups and 42 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -8212,15 +8212,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
 
 class remove_dhcp {
   package { 'dhcp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -8286,15 +8286,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -8361,15 +8361,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -8412,15 +8412,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id111" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id111"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id111" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id111"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id113" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -8461,15 +8461,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -8513,15 +8513,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id123" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -8560,15 +8560,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -8601,15 +8601,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id133" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -8645,15 +8645,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
 
 class remove_talk {
   package { 'talk':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_telnet"><span class="label label-default">Group</span>  
                 Telnet
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a>  
@@ -8706,15 +8706,15 @@
   - low_disruption
   - no_reboot_needed
   - package_telnet-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=telnet-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
 
 class remove_telnet-server {
   package { 'telnet-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=telnet-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="guide-tree-leaf-id143" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_telnet_removed"><span class="label label-default">Rule</span>  
                                 Remove telnet Clients
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 47 groups and 102 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -458,7 +458,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -475,19 +479,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -4177,7 +4177,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4301,25 +4320,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -25639,7 +25639,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -25707,20 +25721,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -25759,7 +25759,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -25876,8 +25878,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -26165,7 +26165,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id227" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id227"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id227" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id227"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -26196,9 +26199,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 51 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -151,7 +151,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -175,19 +179,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id22" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -7339,7 +7339,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -7354,19 +7358,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id79" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -7402,7 +7402,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -7465,9 +7468,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -7964,7 +7964,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8088,25 +8107,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8809,7 +8809,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8877,20 +8891,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 46 groups and 93 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -816,7 +816,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -832,19 +836,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1312,7 +1312,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1436,25 +1455,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -15013,7 +15013,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15081,20 +15095,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -15135,7 +15135,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -15148,19 +15152,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id151" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Oracle Linux 7.
@@ -15179,7 +15179,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -15204,9 +15207,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 54 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1212,7 +1212,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1275,9 +1278,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1670,7 +1670,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1794,25 +1813,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -44768,7 +44768,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -44836,20 +44850,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -44888,7 +44888,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -45005,8 +45007,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 2 groups and 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -45522,7 +45522,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id303" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id303"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id303" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id303"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -45597,9 +45600,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id305" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id305"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -46699,7 +46699,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><pre><code>
+[customizations.services]
+disabled = ["kdump"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
   block:
 
   - name: Disable service kdump
@@ -46768,12 +46771,7 @@
   - medium_severity
   - no_reboot_needed
   - service_kdump_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><pre><code>
-[customizations.services]
-disabled = ["kdump"]
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><pre><code>
-kdump --disable
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
 
 class disable_kdump {
   service {'kdump':
@@ -46781,6 +46779,8 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ncp.html	2023-07-27 00:00:00.000000000 +0000
@@ -91,7 +91,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST National Checklist Program Security Guide</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ncp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 104 groups and 382 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -480,7 +480,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -497,19 +501,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1053,7 +1053,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -1077,19 +1081,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id49" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -15345,7 +15345,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -15360,19 +15364,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -15406,7 +15406,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -15419,19 +15423,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id233" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -15448,7 +15448,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -15461,19 +15465,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id239" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -15499,7 +15499,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id242" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id242"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 51 groups and 104 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -142,7 +142,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -166,19 +170,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id22" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -7330,7 +7330,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -7345,19 +7349,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id79" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -7393,7 +7393,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -7456,9 +7459,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -7955,7 +7955,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8079,25 +8098,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8800,7 +8800,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8868,20 +8882,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 48 groups and 99 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -454,7 +454,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -471,19 +475,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -7707,7 +7707,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -7831,25 +7850,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_auditing"><span class="label label-default">Group</span>  
                 System Accounting with auditd
                           <small>Group contains 9 groups and 41 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a>  
@@ -29046,7 +29046,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29114,20 +29128,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -29166,7 +29166,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29283,8 +29285,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 2 groups and 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -30748,7 +30748,11 @@
 if ! rpm -q --quiet "libreswan" ; then
     yum install -y "libreswan"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>
+[[packages]]
+name = "libreswan"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libreswan is installed
   package:
     name: libreswan
     state: present
@@ -30762,19 +30766,15 @@
   - medium_severity
   - no_reboot_needed
   - package_libreswan_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>
-[[packages]]
-name = "libreswan"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=libreswan
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libreswan
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libreswan
 
 class install_libreswan {
   package { 'libreswan':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=libreswan
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_permissions" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_permissions"><span class="label label-default">Group</span>  
                 File Permissions and Masks
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-sap.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Security Profile of Oracle Linux 7 for SAP</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_sap</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 10 groups and 9 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -98,7 +98,11 @@
 if ! rpm -q --quiet "glibc" ; then
     yum install -y "glibc"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure glibc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[[packages]]
+name = "glibc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure glibc is installed
   package:
     name: glibc
     state: present
@@ -109,19 +113,15 @@
   - medium_severity
   - no_reboot_needed
   - package_glibc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[[packages]]
-name = "glibc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=glibc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_glibc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_glibc
 
 class install_glibc {
   package { 'glibc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=glibc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_uuidd_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_uuidd_installed" id="guide-tree-leaf-id22" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sap_host"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_uuidd_installed"><span class="label label-default">Rule</span>  
                                 Package uuidd Installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_uuidd_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The package <code>uuidd</code> is not installed on normal Linux distribution
@@ -138,7 +138,11 @@
 if ! rpm -q --quiet "uuidd" ; then
     yum install -y "uuidd"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure uuidd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "uuidd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure uuidd is installed
   package:
     name: uuidd
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_uuidd_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "uuidd"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=uuidd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_uuidd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_uuidd
 
 class install_uuidd {
   package { 'uuidd':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=uuidd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_accounts_authorized_local_users_sidadm_orasid" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_accounts_authorized_local_users_sidadm_orasid" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sap_host"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_accounts_authorized_local_users_sidadm_orasid"><span class="label label-default">Rule</span>  
                                 Only sidadm and orasid/oracle User Accounts Exist on Operating System
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_accounts_authorized_local_users_sidadm_orasid">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SAP tends to use the server or virtual machine exclusively. There should be only
@@ -429,15 +429,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -478,15 +478,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -524,7 +524,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rlogin
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
+[customizations.services]
+disabled = ["rlogin"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rlogin
   block:
 
   - name: Disable service rlogin
@@ -599,9 +602,6 @@
   - low_disruption
   - no_reboot_needed
   - service_rlogin_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
-[customizations.services]
-disabled = ["rlogin"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_rlogin
 
 class disable_rlogin {
@@ -642,7 +642,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
+[customizations.services]
+disabled = ["rsh"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service rsh
   block:
 
   - name: Disable service rsh
@@ -717,9 +720,6 @@
   - low_disruption
   - no_reboot_needed
   - service_rsh_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
-[customizations.services]
-disabled = ["rsh"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_rsh
 
 class disable_rsh {
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 28 groups and 72 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -795,7 +795,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -919,25 +938,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -29204,7 +29204,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -29217,19 +29221,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id183" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Oracle Linux 7.
@@ -29248,7 +29248,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id185" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id185"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id185" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id185"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -29273,9 +29276,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id187" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id187"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -29466,7 +29466,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id197" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id197"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id197" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id197"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -29541,9 +29544,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -29947,7 +29947,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service abrtd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><pre><code>
+[customizations.services]
+disabled = ["abrtd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id209" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id209"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service abrtd
   block:
 
   - name: Disable service abrtd
@@ -30010,9 +30013,6 @@
   - medium_severity
   - no_reboot_needed
   - service_abrtd_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id209" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id209"><pre><code>
-[customizations.services]
-disabled = ["abrtd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id210" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id210"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_abrtd
 
 class disable_abrtd {
@@ -30054,7 +30054,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service ntpdate
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><pre><code>
+[customizations.services]
+disabled = ["ntpdate"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service ntpdate
   block:
 
   - name: Disable service ntpdate
@@ -30120,9 +30123,6 @@
   - low_severity
   - no_reboot_needed
   - service_ntpdate_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><pre><code>
-[customizations.services]
-disabled = ["ntpdate"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id215" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id215"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_ntpdate
 
 class disable_ntpdate {
@@ -30163,7 +30163,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service oddjobd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><pre><code>
+[customizations.services]
+disabled = ["oddjobd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id219" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id219"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service oddjobd
   block:
 
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 103 groups and 286 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -575,7 +575,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -592,19 +596,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id31" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -16009,7 +16009,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -16024,19 +16028,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -16072,7 +16072,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "pam_pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
   package:
     name: pam_pkcs11
     state: present
@@ -16090,19 +16094,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "pam_pkcs11"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pam_pkcs11
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
 
 class install_pam_pkcs11 {
   package { 'pam_pkcs11':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pam_pkcs11
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="guide-tree-leaf-id232" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_smartcard_auth"><span class="label label-default">Rule</span>  
                                 Enable Smart Card Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_smartcard_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable smart card authentication, consult the documentation at:
@@ -16825,7 +16825,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -16949,25 +16968,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id265" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -58199,7 +58199,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id547" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id547"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id547" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id547"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id548" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id548"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id549" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id549"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -58267,20 +58281,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
/usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol7-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Oracle Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:7 is applicable to this Benchmark">cpe:/o:oracle:linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 7
                           <small>Group contains 101 groups and 285 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -581,7 +581,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -598,19 +602,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id31" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -16015,7 +16015,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -16030,19 +16034,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -16078,7 +16078,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "pam_pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
   package:
     name: pam_pkcs11
     state: present
@@ -16096,19 +16100,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "pam_pkcs11"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pam_pkcs11
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
 
 class install_pam_pkcs11 {
   package { 'pam_pkcs11':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pam_pkcs11
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="guide-tree-leaf-id232" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_smartcard_auth"><span class="label label-default">Rule</span>  
                                 Enable Smart Card Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_smartcard_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable smart card authentication, consult the documentation at:
@@ -16831,7 +16831,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -16955,25 +16974,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id265" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -58205,7 +58205,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id547" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id547"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id547" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id547"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id548" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id548"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id549" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id549"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -58273,20 +58287,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 68 groups and 233 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id20" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -419,7 +419,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -433,19 +437,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id49" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -929,7 +929,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -940,19 +944,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id82" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -46307,7 +46307,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id321" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id321"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id321" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id321"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46330,8 +46332,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id322" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id322"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id323" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -46366,7 +46366,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id325" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id325"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46394,8 +46396,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id327" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -46421,7 +46421,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id329" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id329"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46444,8 +46446,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id330" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id330"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id331" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -46558,7 +46558,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><pre><code>[customizations.kernel]
+append = "pti=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46585,8 +46587,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><pre><code>[customizations.kernel]
-append = "pti=on"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id341" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -46624,7 +46624,9 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 69 groups and 287 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id20" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -736,7 +736,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -750,19 +754,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id59" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -1246,7 +1246,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id88" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id88"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id88" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id88"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1257,19 +1261,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id92" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -46624,7 +46624,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id332" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id332"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46647,8 +46649,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id332" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id332"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id333" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -46683,7 +46683,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46711,8 +46713,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id337" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -46738,7 +46738,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id339" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id339"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46761,8 +46763,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id341" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -46875,7 +46875,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id349" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id349"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id349" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id349"><pre><code>[customizations.kernel]
+append = "pti=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id350" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id350"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46902,8 +46904,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id350" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id350"><pre><code>[customizations.kernel]
-append = "pti=on"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id351" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -46941,7 +46941,9 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 55 groups and 166 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id20" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -405,7 +405,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -419,19 +423,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id47" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -907,7 +907,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -918,19 +922,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id79" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -10036,7 +10036,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10064,8 +10066,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id172" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -10091,7 +10091,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10114,8 +10116,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_pti_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_pti_argument" id="guide-tree-leaf-id176" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_pti_argument"><span class="label label-default">Rule</span>  
                                 Enable Kernel Page-Table Isolation (KPTI)
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_pti_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable Kernel page-table isolation,
@@ -10138,7 +10138,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><pre><code>[customizations.kernel]
+append = "pti=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10165,8 +10167,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><pre><code>[customizations.kernel]
-append = "pti=on"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id180" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -10204,7 +10204,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -10233,8 +10235,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id184" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -10263,7 +10263,9 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 26 groups and 47 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -235,7 +235,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -246,19 +250,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -8734,15 +8734,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
 
 class remove_dhcp {
   package { 'dhcp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -8809,15 +8809,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -8884,15 +8884,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -8935,15 +8935,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id129" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -8983,15 +8983,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -9035,15 +9035,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id139" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -9082,15 +9082,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -9123,15 +9123,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id149" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -9167,15 +9167,15 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 49 groups and 105 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -449,7 +449,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -466,19 +470,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -4354,7 +4354,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4478,25 +4497,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -29291,7 +29291,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id215" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id215"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id216"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29359,20 +29373,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id215" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id215"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id216"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -29403,7 +29403,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id220" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id220"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id220" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id220"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id221" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id221"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29446,8 +29448,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id221" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id221"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 2 groups and 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -29887,7 +29887,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -29918,9 +29921,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 63 groups and 205 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -135,7 +135,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -152,19 +156,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -445,7 +445,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -456,19 +460,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1018,7 +1018,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1032,19 +1036,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 12 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -1064,7 +1064,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     yum install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -1075,19 +1079,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id74" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -1099,7 +1099,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     yum install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -1110,19 +1114,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
 
 class install_openscap-scanner {
   package { 'openscap-scanner':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=openscap-scanner
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" id="guide-tree-leaf-id80" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed"><span class="label label-default">Rule</span>  
                                 Install scap-security-guide Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>scap-security-guide</code> package can be installed with the following command:
@@ -1140,7 +1140,11 @@
 if ! rpm -q --quiet "scap-security-guide" ; then
     yum install -y "scap-security-guide"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure scap-security-guide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
+[[packages]]
+name = "scap-security-guide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 48 groups and 95 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -941,7 +941,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -957,19 +961,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1490,7 +1490,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1614,25 +1633,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -14750,7 +14750,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14818,20 +14832,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -14872,7 +14872,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -14886,19 +14890,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id156" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Oracle Linux 8.
@@ -14917,7 +14917,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -14943,9 +14946,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 54 groups and 140 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1342,7 +1342,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1408,9 +1411,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1804,7 +1804,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1928,25 +1947,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -48373,7 +48373,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id282" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id282"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id282" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id282"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -48441,20 +48455,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -48485,7 +48485,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -48528,8 +48530,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 2 groups and 8 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -49261,7 +49261,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -49336,9 +49339,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -50438,7 +50438,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id352"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id352" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id352"><pre><code>
+[customizations.services]
+disabled = ["kdump"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id353" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id353"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
   block:
 
   - name: Disable service kdump
@@ -50507,12 +50510,7 @@
   - medium_severity
   - no_reboot_needed
   - service_kdump_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id353" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id353"><pre><code>
-[customizations.services]
-disabled = ["kdump"]
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id354" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id354"><pre><code>
-kdump --disable
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id355" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id355"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id354" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id354"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
 
 class disable_kdump {
   service {'kdump':
@@ -50520,6 +50518,8 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 63 groups and 205 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -436,7 +436,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -447,19 +451,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1009,7 +1009,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1023,19 +1027,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 12 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -1055,7 +1055,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     yum install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -1066,19 +1070,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id74" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -1090,7 +1090,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     yum install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -1101,19 +1105,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
 
 class install_openscap-scanner {
   package { 'openscap-scanner':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=openscap-scanner
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" id="guide-tree-leaf-id80" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed"><span class="label label-default">Rule</span>  
                                 Install scap-security-guide Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>scap-security-guide</code> package can be installed with the following command:
@@ -1131,7 +1131,11 @@
 if ! rpm -q --quiet "scap-security-guide" ; then
     yum install -y "scap-security-guide"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure scap-security-guide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
+[[packages]]
+name = "scap-security-guide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 50 groups and 125 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -445,7 +445,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -462,19 +466,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -7768,7 +7768,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7782,19 +7786,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id117" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7811,7 +7811,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7824,19 +7828,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id123" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7862,7 +7862,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7900,9 +7903,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -8420,7 +8420,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8544,25 +8563,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_auditing"><span class="label label-default">Group</span>  
                 System Accounting with auditd
                           <small>Group contains 9 groups and 57 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a>  
@@ -46087,7 +46087,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audispd-plugins is installed
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 29 groups and 78 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1135,7 +1135,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1259,25 +1278,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -33015,7 +33015,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id195" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id195"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -33029,19 +33033,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id195" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id195"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id196" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id196"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id197" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id197"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id196" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id196"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id197" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id197"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id198" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Oracle Linux 8.
@@ -33060,7 +33060,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id200" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id200"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id200" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id200"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id201" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id201"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -33086,9 +33089,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id201" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id201"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id202" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id202"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -33281,7 +33281,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -33356,9 +33359,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -33762,7 +33762,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service abrtd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
+[customizations.services]
+disabled = ["abrtd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service abrtd
   block:
 
   - name: Disable service abrtd
@@ -33825,9 +33828,6 @@
   - medium_severity
   - no_reboot_needed
   - service_abrtd_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
-[customizations.services]
-disabled = ["abrtd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_abrtd
 
 class disable_abrtd {
@@ -33869,7 +33869,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service ntpdate
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[customizations.services]
+disabled = ["ntpdate"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service ntpdate
   block:
 
   - name: Disable service ntpdate
@@ -33935,9 +33938,6 @@
   - low_severity
   - no_reboot_needed
   - service_ntpdate_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[customizations.services]
-disabled = ["ntpdate"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_ntpdate
 
 class disable_ntpdate {
@@ -33978,7 +33978,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service oddjobd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>
+[customizations.services]
+disabled = ["oddjobd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service oddjobd
   block:
 
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 106 groups and 407 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -120,7 +120,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -137,19 +141,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id20" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -4942,7 +4942,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -4954,19 +4958,15 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><pre><code>
-[[packages]]
-name = "rng-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rng-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rng-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-libs_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-libs_removed" id="guide-tree-leaf-id147" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-libs_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-libs Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-libs_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-libs</code> package can be removed with the following command:
@@ -4996,15 +4996,15 @@
   - medium_severity
   - no_reboot_needed
   - package_abrt-libs_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-libs
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-libs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-libs
 
 class remove_abrt-libs {
   package { 'abrt-libs':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-libs
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed" id="guide-tree-leaf-id152" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-server-info-page Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-server-info-page</code> package can be removed with the following command:
@@ -5034,15 +5034,15 @@
   - medium_severity
   - no_reboot_needed
   - package_abrt-server-info-page_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-server-info-page
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-server-info-page
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-server-info-page
 
 class remove_abrt-server-info-page {
   package { 'abrt-server-info-page':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-server-info-page
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_gssproxy_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_gssproxy_removed" id="guide-tree-leaf-id157" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_gssproxy_removed"><span class="label label-default">Rule</span>  
                                 Uninstall gssproxy Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_gssproxy_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>gssproxy</code> package can be removed with the following command:
@@ -5109,15 +5109,15 @@
   - medium_severity
   - no_reboot_needed
   - package_iprutils_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=iprutils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_iprutils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_iprutils
 
 class remove_iprutils {
   package { 'iprutils':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=iprutils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" id="guide-tree-leaf-id166" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed"><span class="label label-default">Rule</span>  
                                 Uninstall krb5-workstation Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>krb5-workstation</code> package can be removed with the following command:
@@ -5148,15 +5148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_krb5-workstation_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=krb5-workstation
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_krb5-workstation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_krb5-workstation
 
 class remove_krb5-workstation {
   package { 'krb5-workstation':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=krb5-workstation
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed" id="guide-tree-leaf-id171" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed"><span class="label label-default">Rule</span>  
                                 Uninstall libreport-plugin-logger Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>libreport-plugin-logger</code> package can be removed with the following command:
@@ -5187,15 +5187,15 @@
   - low_severity
   - no_reboot_needed
   - package_libreport-plugin-logger_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=libreport-plugin-logger
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_libreport-plugin-logger
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_libreport-plugin-logger
 
 class remove_libreport-plugin-logger {
   package { 'libreport-plugin-logger':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=libreport-plugin-logger
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tuned_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tuned_removed" id="guide-tree-leaf-id176" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_tuned_removed"><span class="label label-default">Rule</span>  
                                 Uninstall tuned Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_tuned_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>tuned</code> package can be removed with the following command:
@@ -5228,15 +5228,15 @@
   - medium_severity
   - no_reboot_needed
   - package_tuned_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=tuned
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_tuned
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_tuned
 
 class remove_tuned {
   package { 'tuned':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=tuned
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -20086,7 +20086,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol8-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Oracle Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:8 is applicable to this Benchmark">cpe:/o:oracle:linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_rng">Hardware RNG Entropy Gatherer Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 8
                           <small>Group contains 104 groups and 405 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id20" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -4948,7 +4948,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -4960,19 +4964,15 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><pre><code>
-[[packages]]
-name = "rng-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rng-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rng-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-libs_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-libs_removed" id="guide-tree-leaf-id147" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-libs_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-libs Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-libs_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-libs</code> package can be removed with the following command:
@@ -5002,15 +5002,15 @@
   - medium_severity
   - no_reboot_needed
   - package_abrt-libs_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-libs
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-libs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-libs
 
 class remove_abrt-libs {
   package { 'abrt-libs':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-libs
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed" id="guide-tree-leaf-id152" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-server-info-page Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-server-info-page_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-server-info-page</code> package can be removed with the following command:
@@ -5040,15 +5040,15 @@
   - medium_severity
   - no_reboot_needed
   - package_abrt-server-info-page_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-server-info-page
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-server-info-page
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-server-info-page
 
 class remove_abrt-server-info-page {
   package { 'abrt-server-info-page':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-server-info-page
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_gssproxy_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_gssproxy_removed" id="guide-tree-leaf-id157" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_gssproxy_removed"><span class="label label-default">Rule</span>  
                                 Uninstall gssproxy Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_gssproxy_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>gssproxy</code> package can be removed with the following command:
@@ -5115,15 +5115,15 @@
   - medium_severity
   - no_reboot_needed
   - package_iprutils_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=iprutils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_iprutils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_iprutils
 
 class remove_iprutils {
   package { 'iprutils':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=iprutils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed" id="guide-tree-leaf-id166" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed"><span class="label label-default">Rule</span>  
                                 Uninstall krb5-workstation Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_krb5-workstation_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>krb5-workstation</code> package can be removed with the following command:
@@ -5154,15 +5154,15 @@
   - medium_severity
   - no_reboot_needed
   - package_krb5-workstation_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=krb5-workstation
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_krb5-workstation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_krb5-workstation
 
 class remove_krb5-workstation {
   package { 'krb5-workstation':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=krb5-workstation
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed" id="guide-tree-leaf-id171" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed"><span class="label label-default">Rule</span>  
                                 Uninstall libreport-plugin-logger Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_libreport-plugin-logger_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>libreport-plugin-logger</code> package can be removed with the following command:
@@ -5193,15 +5193,15 @@
   - low_severity
   - no_reboot_needed
   - package_libreport-plugin-logger_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=libreport-plugin-logger
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_libreport-plugin-logger
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_libreport-plugin-logger
 
 class remove_libreport-plugin-logger {
   package { 'libreport-plugin-logger':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=libreport-plugin-logger
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_tuned_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_tuned_removed" id="guide-tree-leaf-id176" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_tuned_removed"><span class="label label-default">Rule</span>  
                                 Uninstall tuned Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_tuned_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>tuned</code> package can be removed with the following command:
@@ -5234,15 +5234,15 @@
   - medium_severity
   - no_reboot_needed
   - package_tuned_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=tuned
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_tuned
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_tuned
 
 class remove_tuned {
   package { 'tuned':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=tuned
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -20092,7 +20092,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 66 groups and 223 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,19 +145,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id19" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -387,7 +387,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -401,19 +405,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id42" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -728,7 +728,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -739,19 +743,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id65" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -42055,7 +42055,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id299" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id299"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id299" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id299"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id300" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id300"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42078,8 +42080,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id300" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id300"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id301" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -42114,7 +42114,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id303" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id303"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id303" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id303"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42142,8 +42144,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id305" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -42169,7 +42169,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id307" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id307"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id307" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id307"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42192,8 +42194,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id309" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -42310,7 +42310,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><pre><code>[customizations.kernel]
+append = "page_alloc.shuffle=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42333,8 +42335,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id318" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id318"><pre><code>[customizations.kernel]
-append = "page_alloc.shuffle=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_pti_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_pti_argument" id="guide-tree-leaf-id319" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_pti_argument"><span class="label label-default">Rule</span>  
                                 Enable Kernel Page-Table Isolation (KPTI)
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_pti_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable Kernel page-table isolation,
@@ -42357,7 +42357,9 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 67 groups and 276 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,19 +145,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id19" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -660,7 +660,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -674,19 +678,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id51" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -1001,7 +1001,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1012,19 +1016,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id74" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -42328,7 +42328,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id308" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id308"><pre><code>[customizations.kernel]
+append = "iommu=force"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42351,8 +42353,6 @@
   - reboot_required
   - restrict_strategy
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id309" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id309"><pre><code>[customizations.kernel]
-append = "iommu=force"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" id="guide-tree-leaf-id310" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument"><span class="label label-default">Rule</span>  
                                 Configure L1 Terminal Fault mitigations
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_l1tf_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
@@ -42387,7 +42387,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id312" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id312"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id312" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id312"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id313" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id313"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42415,8 +42417,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id313" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id313"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id314" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -42442,7 +42442,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id316" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id316"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42465,8 +42467,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" id="guide-tree-leaf-id318" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent"><span class="label label-default">Rule</span>  
                                 Ensure SMAP is not disabled during boot
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -42583,7 +42583,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id326" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id326"><pre><code>[customizations.kernel]
+append = "page_alloc.shuffle=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -42606,8 +42608,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id327" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id327"><pre><code>[customizations.kernel]
-append = "page_alloc.shuffle=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_pti_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_pti_argument" id="guide-tree-leaf-id328" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_pti_argument"><span class="label label-default">Rule</span>  
                                 Enable Kernel Page-Table Isolation (KPTI)
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_pti_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable Kernel page-table isolation,
@@ -42630,7 +42630,9 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 54 groups and 157 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,19 +145,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id19" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -373,7 +373,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -387,19 +391,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id40" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -714,7 +714,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -725,19 +729,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id63" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -9445,7 +9445,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9473,8 +9475,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id151" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -9500,7 +9500,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9523,8 +9525,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument" id="guide-tree-leaf-id155" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument"><span class="label label-default">Rule</span>  
                                 Enable randomization of the page allocator
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_page_alloc_shuffle_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable randomization of the page allocator in the kernel, add the
@@ -9551,7 +9551,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>[customizations.kernel]
+append = "page_alloc.shuffle=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9574,8 +9576,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><pre><code>[customizations.kernel]
-append = "page_alloc.shuffle=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_pti_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_pti_argument" id="guide-tree-leaf-id159" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_pti_argument"><span class="label label-default">Rule</span>  
                                 Enable Kernel Page-Table Isolation (KPTI)
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_pti_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable Kernel page-table isolation,
@@ -9598,7 +9598,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>[customizations.kernel]
+append = "pti=on"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9623,8 +9625,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><pre><code>[customizations.kernel]
-append = "pti=on"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id163" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -9662,7 +9662,9 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 25 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -231,7 +231,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -242,19 +246,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id25" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -8283,15 +8283,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
 
 class remove_dhcp {
   package { 'dhcp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -8357,15 +8357,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 5 groups and 9 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -8432,15 +8432,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -8483,15 +8483,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id125" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -8530,15 +8530,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -8571,15 +8571,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id135" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -8615,15 +8615,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
 
 class remove_talk {
   package { 'talk':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_telnet"><span class="label label-default">Group</span>  
                 Telnet
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a>  
@@ -8675,15 +8675,15 @@
   - low_disruption
   - no_reboot_needed
   - package_telnet-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=telnet-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
 
 class remove_telnet-server {
   package { 'telnet-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=telnet-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="guide-tree-leaf-id145" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_telnet_removed"><span class="label label-default">Rule</span>  
                                 Remove telnet Clients
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_telnet_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The telnet client allows users to start connections to other systems via
@@ -8716,15 +8716,15 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 60 groups and 184 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -135,7 +135,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -151,19 +155,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -341,7 +341,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -352,19 +356,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -797,7 +797,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -811,19 +815,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -843,7 +843,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     yum install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -854,19 +858,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id69" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -878,7 +878,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     yum install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -889,19 +893,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
 
 class install_openscap-scanner {
   package { 'openscap-scanner':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=openscap-scanner
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed"><span class="label label-default">Rule</span>  
                                 Install scap-security-guide Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>scap-security-guide</code> package can be installed with the following command:
@@ -919,7 +919,11 @@
 if ! rpm -q --quiet "scap-security-guide" ; then
     yum install -y "scap-security-guide"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure scap-security-guide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
+[[packages]]
+name = "scap-security-guide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 45 groups and 95 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -934,7 +934,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -950,19 +954,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1459,7 +1459,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1580,25 +1599,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -15201,7 +15201,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -15267,20 +15281,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -15321,7 +15321,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -15334,19 +15338,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id159" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Oracle Linux 9.
@@ -15365,7 +15365,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -15390,9 +15393,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 52 groups and 134 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1333,7 +1333,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1396,9 +1399,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1737,7 +1737,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1858,25 +1877,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -44718,7 +44718,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id282" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id282"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id282" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id282"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -44784,20 +44798,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id284" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id284"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id285" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id285"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -44828,7 +44828,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id288" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id288"><pre><code>[customizations.kernel]
+append = "audit=1"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -44869,8 +44871,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id289" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id289"><pre><code>[customizations.kernel]
-append = "audit=1"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_bootloader-grub2"><span class="label label-default">Group</span>  
                 GRUB2 bootloader configuration
                           <small>Group contains 2 groups and 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_bootloader-grub2" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_bootloader-grub2" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_bootloader-grub2">[ref]</a>  
@@ -45318,7 +45318,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id304" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id304"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id305" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id305"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -45390,9 +45393,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id305" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id305"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id306" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id306"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -46482,7 +46482,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><pre><code>
+[customizations.services]
+disabled = ["kdump"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service kdump
   block:
 
   - name: Disable service kdump
@@ -46548,12 +46551,7 @@
   - medium_severity
   - no_reboot_needed
   - service_kdump_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><pre><code>
-[customizations.services]
-disabled = ["kdump"]
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><pre><code>
-kdump --disable
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id343" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id343"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_kdump
 
 class disable_kdump {
   service {'kdump':
@@ -46561,6 +46559,8 @@
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 60 groups and 184 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,19 +145,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -331,7 +331,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -342,19 +346,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -787,7 +787,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -801,19 +805,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -833,7 +833,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     yum install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -844,19 +848,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id69" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -868,7 +868,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     yum install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -879,19 +883,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
 
 class install_openscap-scanner {
   package { 'openscap-scanner':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=openscap-scanner
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed"><span class="label label-default">Rule</span>  
                                 Install scap-security-guide Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_scap-security-guide_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>scap-security-guide</code> package can be installed with the following command:
@@ -909,7 +909,11 @@
 if ! rpm -q --quiet "scap-security-guide" ; then
     yum install -y "scap-security-guide"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure scap-security-guide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
+[[packages]]
+name = "scap-security-guide"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Oracle Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 49 groups and 123 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -445,7 +445,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -461,19 +465,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id25" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -7863,7 +7863,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7876,19 +7880,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id119" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7905,7 +7905,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7918,19 +7922,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id125" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7956,7 +7956,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7994,9 +7997,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -8510,7 +8510,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8631,25 +8650,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_enable_authselect" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_enable_authselect" id="guide-tree-leaf-id149" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_enable_authselect"><span class="label label-default">Rule</span>  
                                 Enable authselect
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_enable_authselect">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Configure user authentication setup to use the <code>authselect</code> tool.
@@ -42627,7 +42627,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id314" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id314"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audispd-plugins is installed
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Oracle Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 29 groups and 78 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1124,7 +1124,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1245,25 +1264,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -29451,7 +29451,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -29464,19 +29468,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id195" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id195"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id196" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id196"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id195" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id195"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id196" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id196"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id197" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Oracle Linux 9.
@@ -29495,7 +29495,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id200" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id200"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -29520,9 +29523,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id200" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id200"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id201" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id201"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -29713,7 +29713,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><pre><code>
+[customizations.services]
+disabled = ["autofs"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service autofs
   block:
 
   - name: Disable service autofs
@@ -29785,9 +29788,6 @@
   - medium_severity
   - no_reboot_needed
   - service_autofs_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>
-[customizations.services]
-disabled = ["autofs"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_autofs
 
 class disable_autofs {
@@ -30181,7 +30181,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service abrtd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[customizations.services]
+disabled = ["abrtd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service abrtd
   block:
 
   - name: Disable service abrtd
@@ -30244,9 +30247,6 @@
   - medium_severity
   - no_reboot_needed
   - service_abrtd_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[customizations.services]
-disabled = ["abrtd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_abrtd
 
 class disable_abrtd {
@@ -30288,7 +30288,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id227" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id227"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service ntpdate
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id227" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id227"><pre><code>
+[customizations.services]
+disabled = ["ntpdate"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service ntpdate
   block:
 
   - name: Disable service ntpdate
@@ -30354,9 +30357,6 @@
   - low_severity
   - no_reboot_needed
   - service_ntpdate_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
-[customizations.services]
-disabled = ["ntpdate"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_ntpdate
 
 class disable_ntpdate {
@@ -30397,7 +30397,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service oddjobd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
+[customizations.services]
+disabled = ["oddjobd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service oddjobd
   block:
 
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Oracle Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 115 groups and 494 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -121,7 +121,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -137,19 +141,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_check_audit_tools" id="guide-tree-leaf-id19" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools"><span class="label label-default">Rule</span>  
                                 Configure AIDE to Verify the Audit Tools
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_check_audit_tools">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The operating system file integrity tool must be configured to protect the integrity of the audit tools.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Protecting the integrity of the tools used for auditing purposes is a
@@ -1478,7 +1478,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -1489,19 +1493,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id52" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4032,7 +4032,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -4046,19 +4050,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id134" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -4726,7 +4726,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     yum install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -4737,19 +4741,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_nss-tools_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_nss-tools_installed" id="guide-tree-leaf-id153" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_nss-tools_installed"><span class="label label-default">Rule</span>  
                                 Ensure nss-tools is installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_nss-tools_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>nss-tools</code> package can be installed with the following command:
@@ -4763,7 +4763,11 @@
 if ! rpm -q --quiet "nss-tools" ; then
     yum install -y "nss-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure nss-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>
+[[packages]]
+name = "nss-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure nss-tools is installed
   package:
     name: nss-tools
     state: present
@@ -4774,19 +4778,15 @@
   - medium_severity
   - no_reboot_needed
   - package_nss-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
-[[packages]]
-name = "nss-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=nss-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_nss-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_nss-tools
 
 class install_nss-tools {
   package { 'nss-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=nss-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rng-tools_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rng-tools_installed" id="guide-tree-leaf-id159" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rng-tools_installed"><span class="label label-default">Rule</span>  
                                 Install rng-tools Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rng-tools_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rng-tools</code> package can be installed with the following command:
@@ -4797,7 +4797,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ol9-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -73,7 +73,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG with GUI for Oracle Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:oracle:linux:9 is applicable to this Benchmark">cpe:/o:oracle:linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_OL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Oracle Linux 9
                           <small>Group contains 113 groups and 491 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_OL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -127,7 +127,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_check_audit_tools" id="guide-tree-leaf-id19" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools"><span class="label label-default">Rule</span>  
                                 Configure AIDE to Verify the Audit Tools
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_check_audit_tools">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The operating system file integrity tool must be configured to protect the integrity of the audit tools.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Protecting the integrity of the tools used for auditing purposes is a
@@ -1484,7 +1484,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -1495,19 +1499,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id52" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4038,7 +4038,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -4052,19 +4056,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id134" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -4732,7 +4732,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     yum install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -4743,19 +4747,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id151" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id151"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id152" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id152"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_nss-tools_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_nss-tools_installed" id="guide-tree-leaf-id153" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_nss-tools_installed"><span class="label label-default">Rule</span>  
                                 Ensure nss-tools is installed
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_nss-tools_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>nss-tools</code> package can be installed with the following command:
@@ -4769,7 +4769,11 @@
 if ! rpm -q --quiet "nss-tools" ; then
     yum install -y "nss-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure nss-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>
+[[packages]]
+name = "nss-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure nss-tools is installed
   package:
     name: nss-tools
     state: present
@@ -4780,19 +4784,15 @@
   - medium_severity
   - no_reboot_needed
   - package_nss-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
-[[packages]]
-name = "nss-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=nss-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_nss-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_nss-tools
 
 class install_nss-tools {
   package { 'nss-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=nss-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rng-tools_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rng-tools_installed" id="guide-tree-leaf-id159" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rng-tools_installed"><span class="label label-default">Rule</span>  
                                 Install rng-tools Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rng-tools_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rng-tools</code> package can be installed with the following command:
@@ -4803,7 +4803,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 50 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 51 groups and 195 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 37 groups and 90 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DRAFT - ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 11 groups and 8 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 23 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-high.html	2023-07-27 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 52 groups and 242 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-moderate.html	2023-07-27 00:00:00.000000000 +0000
@@ -87,7 +87,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_moderate</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 52 groups and 241 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhcos4-guide-nerc-cip.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_nerc-cip</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux_coreos:4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux_coreos:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4
                           <small>Group contains 52 groups and 241 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHCOS-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-C2S.html	2023-07-27 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>C2S for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_C2S</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 101 groups and 234 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -130,7 +130,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -148,19 +152,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking"><span class="label label-default">Rule</span>  
                                 Configure Periodic Execution of AIDE
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_periodic_cron_checking">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">At a minimum, AIDE should be configured to run a weekly scan.
@@ -5739,7 +5739,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -5757,20 +5771,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" id="guide-tree-leaf-id122" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_root_logins"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts"><span class="label label-default">Rule</span>  
                                 Ensure that System Accounts Do Not Run a Shell Upon Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Some accounts are not associated with a human user of the system, and exist to perform some
@@ -28818,7 +28818,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29146,20 +29160,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id214" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id214"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id215" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -29512,7 +29512,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29833,20 +29847,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id218" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id218"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id219" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -30211,7 +30211,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id221" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id221"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id221" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id221"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 69 groups and 229 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,19 +148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -586,7 +586,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -601,19 +605,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id72" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -7830,7 +7830,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7848,20 +7862,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -28798,7 +28798,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id259" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id259"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id259" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id259"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id260" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id260"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29123,20 +29137,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id260" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id260"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="guide-tree-leaf-id261" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program
@@ -29488,7 +29488,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29821,20 +29835,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 70 groups and 285 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,19 +148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -919,7 +919,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -934,19 +938,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id82" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -8163,7 +8163,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -8181,20 +8195,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -29131,7 +29131,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -29456,20 +29470,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" id="guide-tree-leaf-id271" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the <code>augenrules</code> program
@@ -29821,7 +29821,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -30154,20 +30168,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 55 groups and 158 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,19 +148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -458,7 +458,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -473,19 +477,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id65" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -7687,7 +7687,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7705,20 +7719,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -8694,7 +8694,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8776,8 +8778,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id176" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -8812,7 +8812,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8889,8 +8891,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><pre><code>[customizations.kernel]
-append = "mce=0"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" id="guide-tree-leaf-id180" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument"><span class="label label-default">Rule</span>  
                                 Configure the confidence in TPM for entropy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The TPM security chip that is available in most modern systems has a hardware RNG.
@@ -8938,7 +8938,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id182" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id182"><pre><code>[customizations.kernel]
+append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9021,8 +9023,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>[customizations.kernel]
-append = "rng_core.default_quality=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_rng_core_default_quality">500</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" id="guide-tree-leaf-id184" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument"><span class="label label-default">Rule</span>  
                                 Disable merging of slabs with similar size
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The kernel may merge similar slabs together to reduce overhead and increase
@@ -9060,7 +9060,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><pre><code>[customizations.kernel]
+append = "slab_nomerge=yes"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id187" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id187"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9137,8 +9139,6 @@
   - medium_severity
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-anssi_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 26 groups and 42 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -7198,15 +7198,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp
 
 class remove_dhcp {
   package { 'dhcp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -7274,15 +7274,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -7351,15 +7351,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -7404,15 +7404,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id121" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -7455,15 +7455,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -7509,15 +7509,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id131" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7558,15 +7558,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -7601,15 +7601,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id141" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -7647,15 +7647,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk
 
 class remove_talk {
   package { 'talk':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_telnet"><span class="label label-default">Group</span>  
                 Telnet
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_telnet" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_telnet" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_telnet">[ref]</a>  
@@ -7710,15 +7710,15 @@
   - low_disruption
   - no_reboot_needed
   - package_telnet-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=telnet-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_telnet-server
 
 class remove_telnet-server {
   package { 'telnet-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=telnet-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_telnet_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_telnet_removed" id="guide-tree-leaf-id151" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_telnet"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_telnet_removed"><span class="label label-default">Rule</span>  
                                 Remove telnet Clients
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 110 groups and 329 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -480,15 +480,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 7 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -915,7 +915,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -930,19 +934,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -26375,7 +26375,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -26700,20 +26714,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="guide-tree-leaf-id293" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading - init_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To capture kernel module loading events, use following line, setting ARCH to
@@ -27065,7 +27065,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -27398,20 +27412,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_audit_login_events"><span class="label label-default">Group</span>  
                 Record Attempts to Alter Logon and Logout Events
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_audit_login_events">[ref]</a>  
@@ -30098,7 +30098,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 99 groups and 263 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -480,15 +480,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -835,7 +835,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -850,19 +854,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id60" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -8992,7 +8992,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -9006,19 +9010,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id267" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
@@ -9038,7 +9038,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -9064,9 +9067,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9342,7 +9342,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -9356,19 +9360,15 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=firewalld
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
   package { 'firewalld':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=firewalld
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="guide-tree-leaf-id281" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"><span class="label label-default">Rule</span>  
                                 Verify firewalld Enabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -9388,7 +9388,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 92 groups and 256 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -480,15 +480,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -835,7 +835,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -850,19 +854,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id60" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -8992,7 +8992,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -9006,19 +9010,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rsyslog
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id265" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id265"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
   package { 'rsyslog':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id266" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id266"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rsyslog
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" id="guide-tree-leaf-id267" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_logging"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled"><span class="label label-default">Rule</span>  
                                 Enable rsyslog Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_rsyslog_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>rsyslog</code> service provides syslog-style logging by default on Red Hat Enterprise Linux 7.
@@ -9038,7 +9038,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id269" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id269"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -9064,9 +9067,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -9342,7 +9342,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><pre><code>
+[[packages]]
+name = "firewalld"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure firewalld is installed
   package:
     name: firewalld
     state: present
@@ -9356,19 +9360,15 @@
   - medium_severity
   - no_reboot_needed
   - package_firewalld_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
-[[packages]]
-name = "firewalld"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=firewalld
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_firewalld
 
 class install_firewalld {
   package { 'firewalld':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=firewalld
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_firewalld_enabled" id="guide-tree-leaf-id281" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_firewalld_activation"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled"><span class="label label-default">Rule</span>  
                                 Verify firewalld Enabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_firewalld_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -9388,7 +9388,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 7 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 107 groups and 326 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -480,15 +480,15 @@
   - medium_severity
   - no_reboot_needed
   - package_prelink_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=prelink
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_prelink
 
 class remove_prelink {
   package { 'prelink':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=prelink
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 7 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -915,7 +915,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -930,19 +934,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -26375,7 +26375,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id291" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id291"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -26700,20 +26714,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id292" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id292"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" id="guide-tree-leaf-id293" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_kernel_module_loading"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init"><span class="label label-default">Rule</span>  
                                 Ensure auditd Collects Information on Kernel Module Loading - init_module
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To capture kernel module loading events, use following line, setting ARCH to
@@ -27065,7 +27065,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id295" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id295"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -27398,20 +27412,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id296" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id296"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_audit_login_events"><span class="label label-default">Group</span>  
                 Record Attempts to Alter Logon and Logout Events
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_audit_login_events" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_audit_login_events" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_auditd_configure_rules"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_audit_login_events">[ref]</a>  
@@ -30098,7 +30098,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id317" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id317"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 47 groups and 102 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -470,7 +470,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -488,19 +492,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id35" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -3888,7 +3888,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4015,25 +4034,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -16497,7 +16497,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -16825,20 +16839,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -17191,7 +17191,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17512,20 +17526,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id164" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -17890,7 +17890,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 50 groups and 103 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -152,7 +152,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -177,19 +181,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -5563,7 +5563,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -5579,19 +5583,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id87" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -5628,7 +5628,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -5694,20 +5708,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -5762,7 +5762,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5798,20 +5812,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id97" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -5839,7 +5839,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -5858,17 +5869,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 46 groups and 94 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -843,7 +843,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -860,19 +864,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1461,7 +1461,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1588,25 +1607,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8800,7 +8800,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9128,20 +9142,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id111" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -9494,7 +9494,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9815,20 +9829,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id115" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -10193,7 +10193,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 54 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -1354,7 +1354,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1420,20 +1434,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1488,7 +1488,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -1524,20 +1538,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id60" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -1565,7 +1565,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -1584,17 +1595,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" id="guide-tree-leaf-id64" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot"><span class="label label-default">Rule</span>  
                                 Verify that Interactive Boot is Disabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Red Hat Enterprise Linux 7 systems support an "interactive boot" option that can
@@ -1867,7 +1867,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1994,25 +2013,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -2065,7 +2065,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ncp.html	2023-07-27 00:00:00.000000000 +0000
@@ -92,7 +92,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>NIST National Checklist Program Security Guide</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ncp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 105 groups and 385 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -493,7 +493,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -511,19 +515,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id35" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1085,7 +1085,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -1110,19 +1114,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id56" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -13544,7 +13544,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -13560,19 +13564,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -13607,7 +13607,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id237" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id237"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -13621,19 +13625,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id238" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id238"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id239" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id239"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id239" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id239"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id241" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -13651,7 +13651,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id243" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id243"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id243" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id243"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id244" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id244"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -13665,19 +13669,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id244" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id244"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id245" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id245"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id246" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id246"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id245" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id245"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id246" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id246"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id247" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -13704,7 +13704,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id249" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id249"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id249" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id249"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>OSPP - Protection Profile for General Purpose Operating Systems v4.2.1</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 50 groups and 103 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -143,7 +143,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -168,19 +172,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -5554,7 +5554,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -5570,19 +5574,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" id="guide-tree-leaf-id87" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled"><span class="label label-default">Rule</span>  
                                 Disable debug-shell SystemD Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_debug-shell_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">SystemD's <code>debug-shell</code> service is intended to
@@ -5619,7 +5619,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -5685,20 +5699,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -5753,7 +5753,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -5789,20 +5803,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id97" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -5830,7 +5830,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -5849,17 +5860,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 47 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -466,7 +466,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -484,19 +488,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id35" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -6861,7 +6861,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -6988,25 +7007,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_auditing"><span class="label label-default">Group</span>  
                 System Accounting with auditd
                           <small>Group contains 9 groups and 41 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a>  
@@ -19342,7 +19342,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19670,20 +19684,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id175" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -20036,7 +20036,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20357,20 +20371,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id179" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -20735,7 +20735,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>RHV hardening based on STIG for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhelh-stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 100 groups and 377 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -592,7 +592,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -610,19 +614,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1184,7 +1184,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "dracut-fips"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dracut-fips is installed
   package:
     name: dracut-fips
     state: present
@@ -1209,19 +1213,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dracut-fips_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "dracut-fips"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dracut-fips
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dracut-fips
 
 class install_dracut-fips {
   package { 'dracut-fips':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dracut-fips
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" id="guide-tree-leaf-id59" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_fips"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode"><span class="label label-default">Rule</span>  
                                 Enable FIPS Mode in GRUB2
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure FIPS mode is enabled, install package <code>dracut-fips</code>, and rebuild <code>initramfs</code> by running the following commands:
@@ -2106,15 +2106,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gdm_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=gdm
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
 
 class remove_gdm {
   package { 'gdm':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=gdm
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_sudo"><span class="label label-default">Group</span>  
                 Sudo
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a>  
@@ -9532,7 +9532,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -9548,19 +9552,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -9595,7 +9595,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -9609,19 +9613,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id181" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -9639,7 +9639,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -9653,19 +9657,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id185" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id185"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id186" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id186"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id185" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id185"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rhelh-vpp.html	2023-07-27 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhelh-vpp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 48 groups and 142 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -7501,7 +7501,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7515,19 +7519,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id110" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7545,7 +7545,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7559,19 +7563,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id116" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7598,7 +7598,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7637,9 +7640,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -8508,7 +8508,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8635,25 +8654,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8766,7 +8766,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -8784,20 +8798,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 38 groups and 68 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,19 +145,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_disk_partitioning"><span class="label label-default">Group</span>  
                 Disk Partitioning
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_disk_partitioning" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_disk_partitioning" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_disk_partitioning">[ref]</a>  
@@ -4219,7 +4219,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4346,25 +4365,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -5195,7 +5195,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -5227,9 +5230,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
@@ -5314,7 +5314,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A
+        mode: 0644
+        path: /etc/modprobe.d/dccp.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
   lineinfile:
     create: true
     dest: /etc/modprobe.d/dccp.conf
@@ -5361,20 +5375,6 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A
-        mode: 0644
-        path: /etc/modprobe.d/dccp.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" id="guide-tree-leaf-id129" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_network-uncommon"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled"><span class="label label-default">Rule</span>  
                                 Disable SCTP Support
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The Stream Control Transmission Protocol (SCTP) is a
@@ -5409,7 +5409,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'sctp' is disabled
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20sctp%20/bin/true%0Ablacklist%20sctp%0A
+        mode: 0644
+        path: /etc/modprobe.d/sctp.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'sctp' is disabled
   lineinfile:
     create: true
     dest: /etc/modprobe.d/sctp.conf
@@ -5454,20 +5468,6 @@
   - medium_disruption
   - medium_severity
   - reboot_required
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 28 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -921,7 +921,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1048,25 +1067,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 group and 1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -13032,7 +13032,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13360,20 +13374,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id103" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -13726,7 +13726,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14047,20 +14061,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id107" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -14425,7 +14425,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14754,20 +14768,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_stime" id="guide-tree-leaf-id111" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through stime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_stime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -15136,7 +15136,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 103 groups and 276 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -601,7 +601,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -619,19 +623,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -13844,7 +13844,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -13860,19 +13864,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -13909,7 +13909,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "pam_pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
   package:
     name: pam_pkcs11
     state: present
@@ -13928,19 +13932,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "pam_pkcs11"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pam_pkcs11
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
 
 class install_pam_pkcs11 {
   package { 'pam_pkcs11':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pam_pkcs11
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="guide-tree-leaf-id232" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_smartcard_auth"><span class="label label-default">Rule</span>  
                                 Enable Smart Card Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_smartcard_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable smart card authentication, consult the documentation at:
@@ -14176,7 +14176,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -14195,17 +14206,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="guide-tree-leaf-id242" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_require_singleuser_auth"><span class="label label-default">Rule</span>  
                                 Require Authentication for Single User Mode
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_require_singleuser_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Single-user mode is intended as a system recovery
@@ -14747,7 +14747,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -14874,25 +14893,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
/usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel7-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -82,7 +82,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 101 groups and 275 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -607,7 +607,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -625,19 +629,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -13850,7 +13850,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id222" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id222"><pre><code>
+[[packages]]
+name = "screen"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure screen is installed
   package:
     name: screen
     state: present
@@ -13866,19 +13870,15 @@
   - medium_severity
   - no_reboot_needed
   - package_screen_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id223" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id223"><pre><code>
-[[packages]]
-name = "screen"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=screen
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_screen
 
 class install_screen {
   package { 'screen':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=screen
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -13915,7 +13915,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "pam_pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pam_pkcs11 is installed
   package:
     name: pam_pkcs11
     state: present
@@ -13934,19 +13938,15 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "pam_pkcs11"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pam_pkcs11
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pam_pkcs11
 
 class install_pam_pkcs11 {
   package { 'pam_pkcs11':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pam_pkcs11
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_smartcard_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_smartcard_auth" id="guide-tree-leaf-id232" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_smartcard_auth"><span class="label label-default">Rule</span>  
                                 Enable Smart Card Login
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_smartcard_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To enable smart card authentication, consult the documentation at:
@@ -14182,7 +14182,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id240" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id240"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -14201,17 +14212,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_require_singleuser_auth" id="guide-tree-leaf-id242" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_require_singleuser_auth"><span class="label label-default">Rule</span>  
                                 Require Authentication for Single User Mode
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_require_singleuser_auth">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Single-user mode is intended as a system recovery
@@ -14753,7 +14753,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id263" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id263"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -14880,25 +14899,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id264" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id264"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 68 groups and 235 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,19 +148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -477,7 +477,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -492,19 +496,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id64" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id64"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id65" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -1018,7 +1018,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1030,19 +1034,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id98" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7905,7 +7905,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7923,20 +7937,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -32436,7 +32436,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id270" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id270"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -32761,20 +32775,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id271" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id271"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 70 groups and 310 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,19 +148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -805,7 +805,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -820,19 +824,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id75" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -1346,7 +1346,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1358,19 +1362,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id108" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -8233,7 +8233,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id183" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id183"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -8251,20 +8265,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id184" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id184"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -32764,7 +32764,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id280" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id280"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -33089,20 +33103,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id281" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id281"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 55 groups and 167 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -144,19 +148,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -458,7 +458,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -473,19 +477,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_env_reset" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_env_reset"><span class="label label-default">Rule</span>  
                                 Ensure sudo Runs In A Minimal Environment - sudo env_reset
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_env_reset">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>env_reset</code> tag, when specified, will run the command in a minimal environment,
@@ -990,7 +990,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1002,19 +1006,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id94" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7871,7 +7871,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7889,20 +7903,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -8939,7 +8939,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id189" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id189"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id189" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id189"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id190" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id190"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8969,8 +8971,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id190" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id190"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id191" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -8997,7 +8997,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9022,8 +9024,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>[customizations.kernel]
-append = "mce=0"
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 26 groups and 47 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -244,7 +244,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     yum install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -256,19 +260,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7488,15 +7488,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
 
 class remove_dhcp-server {
   package { 'dhcp-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -7565,15 +7565,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -7642,15 +7642,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -7695,15 +7695,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id136" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -7745,15 +7745,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id140" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id140"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -7799,15 +7799,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id145" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id145"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id146" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7848,15 +7848,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id150" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id150"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -7891,15 +7891,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id156" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -7937,15 +7937,15 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 118 groups and 355 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -478,7 +478,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -525,26 +545,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1312,7 +1312,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1327,19 +1331,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id77" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9233,7 +9233,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9360,25 +9379,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id200" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -34672,7 +34672,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 105 groups and 279 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -478,7 +478,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -525,26 +545,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1232,7 +1232,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1247,19 +1251,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9039,7 +9039,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9166,25 +9185,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id182" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -11885,7 +11885,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 98 groups and 272 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -478,7 +478,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -525,26 +545,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1232,7 +1232,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1247,19 +1251,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9039,7 +9039,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9166,25 +9185,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id181" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id181"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id182" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -11885,7 +11885,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 113 groups and 351 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -478,7 +478,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -525,26 +545,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1312,7 +1312,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1327,19 +1331,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id77" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9233,7 +9233,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id198" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id198"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9360,25 +9379,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id199" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id199"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id200" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -34672,7 +34672,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id331" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id331"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cjis.html	2023-07-27 00:00:00.000000000 +0000
@@ -69,7 +69,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Criminal Justice Information Services (CJIS) Security Policy</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cjis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 48 groups and 105 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -461,7 +461,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -479,19 +483,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -814,7 +814,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -861,26 +881,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id42" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4371,7 +4371,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -4498,25 +4517,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -20564,7 +20564,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20892,20 +20906,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id169" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 62 groups and 210 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -136,7 +136,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -154,19 +158,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -457,7 +457,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -469,19 +473,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -553,7 +553,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -600,26 +620,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id44" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1093,7 +1093,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1108,19 +1112,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 15 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -1137,7 +1137,11 @@
 if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
     yum install -y "dnf-plugin-subscription-manager"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
+[[packages]]
+name = "dnf-plugin-subscription-manager"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
   package:
     name: dnf-plugin-subscription-manager
     state: present
@@ -1149,19 +1153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-plugin-subscription-manager_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
-[[packages]]
-name = "dnf-plugin-subscription-manager"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-plugin-subscription-manager
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 48 groups and 98 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -621,7 +621,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT:NO-SHA1</abbr>
   tags:
@@ -668,26 +688,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id33" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -995,7 +995,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -1012,19 +1016,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1668,7 +1668,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1795,25 +1814,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -9053,7 +9053,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9381,20 +9395,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id120" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 54 groups and 137 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -503,7 +503,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -550,26 +570,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1509,7 +1509,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1578,20 +1592,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1646,7 +1646,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,CtrlAltDelBurstAction%3Dnone
+        mode: 0644
+        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -1684,20 +1698,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id63" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id63"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" id="guide-tree-leaf-id64" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"><span class="label label-default">Rule</span>  
                                 Disable Ctrl-Alt-Del Reboot Activation
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, <code>SystemD</code> will reboot the system if the <code>Ctrl-Alt-Del</code>
@@ -1725,7 +1725,18 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: ctrl-alt-del.target
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Disable Ctrl-Alt-Del Reboot Activation
   systemd:
     name: ctrl-alt-del.target
     force: true
@@ -1744,17 +1755,6 @@
   - low_complexity
   - low_disruption
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" id="guide-tree-leaf-id68" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-physical"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot"><span class="label label-default">Rule</span>  
                                 Verify that Interactive Boot is Disabled
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can
@@ -2026,7 +2026,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 71 groups and 151 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -588,7 +588,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -606,19 +610,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id32" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id32"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -840,7 +840,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -887,26 +907,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id42" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1081,7 +1081,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1096,19 +1100,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id54" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -1372,7 +1372,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id65" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id65"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -1389,19 +1393,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id66" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id66"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -6397,7 +6397,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -72,7 +72,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 62 groups and 210 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -127,7 +127,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -145,19 +149,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -448,7 +448,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     yum install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -460,19 +464,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -544,7 +544,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -591,26 +611,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id44" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1084,7 +1084,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1099,19 +1103,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 15 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -1128,7 +1128,11 @@
 if ! rpm -q --quiet "dnf-plugin-subscription-manager" ; then
     yum install -y "dnf-plugin-subscription-manager"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
+[[packages]]
+name = "dnf-plugin-subscription-manager"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-plugin-subscription-manager is installed
   package:
     name: dnf-plugin-subscription-manager
     state: present
@@ -1140,19 +1144,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-plugin-subscription-manager_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><pre><code>
-[[packages]]
-name = "dnf-plugin-subscription-manager"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-plugin-subscription-manager
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-plugin-subscription-manager
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 49 groups and 125 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -457,7 +457,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -475,19 +479,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -836,7 +836,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -883,26 +903,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id44" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -7211,7 +7211,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7226,19 +7230,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id128" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7256,7 +7256,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7270,19 +7274,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id134" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7309,7 +7309,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7348,9 +7351,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -7886,7 +7886,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-rht-ccp.html	2023-07-27 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Red Hat Corporate Profile for Certified Cloud Providers (RH CCP)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rht-ccp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 39 groups and 71 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -123,7 +123,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -141,19 +145,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_crypto"><span class="label label-default">Group</span>  
                 System Cryptographic Policies
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_crypto" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_crypto" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_crypto">[ref]</a>  
@@ -214,7 +214,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -261,26 +281,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -5080,7 +5080,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -5207,25 +5226,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -6110,7 +6110,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[customizations.services]
+enabled = ["firewalld"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service firewalld
   block:
 
   - name: Gather the package facts
@@ -6142,9 +6145,6 @@
   - medium_severity
   - no_reboot_needed
   - service_firewalld_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[customizations.services]
-enabled = ["firewalld"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_firewalld
 
 class enable_firewalld {
@@ -6229,7 +6229,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id136" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id136"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,install%20dccp%20/bin/true%0Ablacklist%20dccp%0A
+        mode: 0644
+        path: /etc/modprobe.d/dccp.conf
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id137" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id137"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Ensure kernel module 'dccp' is disabled
   lineinfile:
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 29 groups and 57 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -522,7 +522,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -569,26 +589,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1295,7 +1295,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1422,25 +1441,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id62" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id62"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 group and 1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -16892,7 +16892,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17220,20 +17234,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id118" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -17586,7 +17586,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -17907,20 +17921,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 105 groups and 396 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -131,7 +131,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1782,7 +1782,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1829,26 +1849,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" id="guide-tree-leaf-id61" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure GnuTLS library to use DoD-approved TLS Encryption
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -5202,7 +5202,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -5215,19 +5219,15 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>
-[[packages]]
-name = "rng-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rng-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rng-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-ccpp Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-ccpp</code> package can be removed with the following command:
@@ -5260,15 +5260,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-ccpp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-ccpp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
 
 class remove_abrt-addon-ccpp {
   package { 'abrt-addon-ccpp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-ccpp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" id="guide-tree-leaf-id165" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-kerneloops Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-kerneloops</code> package can be removed with the following command:
@@ -5301,15 +5301,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-kerneloops_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-kerneloops
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
 
 class remove_abrt-addon-kerneloops {
   package { 'abrt-addon-kerneloops':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-kerneloops
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" id="guide-tree-leaf-id170" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-cli Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-cli_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-cli</code> package can be removed with the following command:
@@ -5342,15 +5342,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-cli_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-cli
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
 
 class remove_abrt-cli {
   package { 'abrt-cli':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-cli
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" id="guide-tree-leaf-id175" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-plugin-sosreport Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-plugin-sosreport</code> package can be removed with the following command:
@@ -5382,15 +5382,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-plugin-sosreport_removed
/usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel8-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -82,7 +82,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>DISA STIG with GUI for Red Hat Enterprise Linux 8</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.0 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.0</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.1 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.1</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.10 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.10</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.2 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.2</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.3 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.3</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.4 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.4</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.5 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.5</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.6 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.6</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.8</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8.9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8.9</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_kerberos">Kerberos</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-8"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 8
                           <small>Group contains 103 groups and 393 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-8"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -137,7 +137,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -155,19 +159,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id23" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id23"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id26" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1788,7 +1788,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1835,26 +1855,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy" id="guide-tree-leaf-id61" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure GnuTLS library to use DoD-approved TLS Encryption
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -5208,7 +5208,11 @@
 if ! rpm -q --quiet "rng-tools" ; then
     yum install -y "rng-tools"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>
+[[packages]]
+name = "rng-tools"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rng-tools is installed
   package:
     name: rng-tools
     state: present
@@ -5221,19 +5225,15 @@
   - low_severity
   - no_reboot_needed
   - package_rng-tools_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><pre><code>
-[[packages]]
-name = "rng-tools"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rng-tools
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rng-tools
 
 class install_rng-tools {
   package { 'rng-tools':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rng-tools
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed" id="guide-tree-leaf-id160" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-ccpp Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-ccpp_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-ccpp</code> package can be removed with the following command:
@@ -5266,15 +5266,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-ccpp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-ccpp
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-ccpp
 
 class remove_abrt-addon-ccpp {
   package { 'abrt-addon-ccpp':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-ccpp
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed" id="guide-tree-leaf-id165" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-addon-kerneloops Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-addon-kerneloops_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-addon-kerneloops</code> package can be removed with the following command:
@@ -5307,15 +5307,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-addon-kerneloops_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-addon-kerneloops
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id168" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id168"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-addon-kerneloops
 
 class remove_abrt-addon-kerneloops {
   package { 'abrt-addon-kerneloops':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id169" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id169"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-addon-kerneloops
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-cli_removed" id="guide-tree-leaf-id170" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-cli_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-cli Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-cli_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-cli</code> package can be removed with the following command:
@@ -5348,15 +5348,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-cli_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=abrt-cli
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_abrt-cli
 
 class remove_abrt-cli {
   package { 'abrt-cli':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id174" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id174"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=abrt-cli
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed" id="guide-tree-leaf-id175" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed"><span class="label label-default">Rule</span>  
                                 Uninstall abrt-plugin-sosreport Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_abrt-plugin-sosreport_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>abrt-plugin-sosreport</code> package can be removed with the following command:
@@ -5388,15 +5388,15 @@
   - low_severity
   - no_reboot_needed
   - package_abrt-plugin-sosreport_removed
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_enhanced.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (enhanced)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 67 groups and 230 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -430,7 +430,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -445,19 +449,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id53" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -788,7 +788,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -800,19 +804,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id76" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7530,7 +7530,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id146" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id146"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7548,20 +7562,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id147" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id147"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -31880,7 +31880,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id241" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id241"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id242" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id242"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -32201,20 +32215,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id242" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id242"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (high)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_kernel_build_config">Kernel Configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 69 groups and 309 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -712,7 +712,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -727,19 +731,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -1070,7 +1070,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -1082,19 +1086,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id83" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id83"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id84" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id84"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id85" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7812,7 +7812,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id155" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id155"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7830,20 +7844,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id156" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id156"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 1 group and 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -32162,7 +32162,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
+        mode: 0600
+        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id251" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id251"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -32483,20 +32497,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id251" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id251"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_intermediary.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (intermediary)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 55 groups and 164 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -126,7 +126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -143,19 +147,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -411,7 +411,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -426,19 +430,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id48" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id48"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_noexec" id="guide-tree-leaf-id50" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_noexec"><span class="label label-default">Rule</span>  
                                 Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_noexec">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>NOEXEC</code> tag, when specified, prevents user executed
@@ -769,7 +769,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id69" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id69"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -781,19 +785,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id73" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7505,7 +7505,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -7523,20 +7537,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -8503,7 +8503,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>[customizations.kernel]
+append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8533,8 +8535,6 @@
   - medium_complexity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><pre><code>[customizations.kernel]
-append = "l1tf=<abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_l1tf_options">full,force</abbr>"
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_grub2_mce_argument" id="guide-tree-leaf-id163" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_bootloader-grub2"><td style="padding-left: 57px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_grub2_mce_argument"><span class="label label-default">Rule</span>  
                                 Force kernel panic on uncorrected MCEs
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_grub2_mce_argument">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">A Machine Check Exception is an error generated by the CPU itdetects an error
@@ -8561,7 +8561,9 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><pre><code>[customizations.kernel]
+append = "mce=0"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>medium</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -8586,8 +8588,6 @@
   - medium_severity
   - reboot_required
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><pre><code>[customizations.kernel]
-append = "mce=0"
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-anssi_bp28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>ANSSI-BP-028 (minimal)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_bp28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 26 groups and 47 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -238,7 +238,11 @@
 if ! rpm -q --quiet "dnf-automatic" ; then
     dnf install -y "dnf-automatic"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "dnf-automatic"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure dnf-automatic is installed
   package:
     name: dnf-automatic
     state: present
@@ -250,19 +254,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dnf-automatic_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "dnf-automatic"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=dnf-automatic
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_dnf-automatic
 
 class install_dnf-automatic {
   package { 'dnf-automatic':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=dnf-automatic
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_updating"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates"><span class="label label-default">Rule</span>  
                                 Configure dnf-automatic to Install Available Updates Automatically
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dnf-automatic_apply_updates">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To ensure that the packages comprising the available updates will be automatically installed by <code>dnf-automatic</code>, set <code>apply_updates</code> to <code>yes</code> under <code>[commands]</code> section in <code>/etc/dnf/automatic.conf</code>.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Installing software updates is a fundamental mitigation against
@@ -7277,15 +7277,15 @@
   - medium_severity
   - no_reboot_needed
   - package_dhcp_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=dhcp-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_dhcp-server
 
 class remove_dhcp-server {
   package { 'dhcp-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=dhcp-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_mail"><span class="label label-default">Group</span>  
                 Mail Server Software
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_mail" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_mail" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_mail">[ref]</a>  
@@ -7353,15 +7353,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sendmail_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=sendmail
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_sendmail
 
 class remove_sendmail {
   package { 'sendmail':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=sendmail
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_obsolete"><span class="label label-default">Group</span>  
                 Obsolete Services
                           <small>Group contains 6 groups and 11 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_obsolete" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_obsolete" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_services"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_obsolete">[ref]</a>  
@@ -7430,15 +7430,15 @@
   - low_severity
   - no_reboot_needed
   - package_xinetd_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=xinetd
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_xinetd
 
 class remove_xinetd {
   package { 'xinetd':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=xinetd
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_nis"><span class="label label-default">Group</span>  
                 NIS
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_nis" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_nis" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_nis">[ref]</a>  
@@ -7483,15 +7483,15 @@
   - no_reboot_needed
   - package_ypbind_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypbind
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypbind
 
 class remove_ypbind {
   package { 'ypbind':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypbind
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_ypserv_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_ypserv_removed" id="guide-tree-leaf-id130" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_nis"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_ypserv_removed"><span class="label label-default">Rule</span>  
                                 Uninstall ypserv Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_ypserv_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>ypserv</code> package can be removed with the following command:
@@ -7533,15 +7533,15 @@
   - low_disruption
   - no_reboot_needed
   - package_ypserv_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=ypserv
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_ypserv
 
 class remove_ypserv {
   package { 'ypserv':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=ypserv
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_r_services"><span class="label label-default">Group</span>  
                 Rlogin, Rsh, and Rexec
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_r_services" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_r_services" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_r_services">[ref]</a>  
@@ -7586,15 +7586,15 @@
   - low_disruption
   - no_reboot_needed
   - package_rsh-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id138" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id138"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh-server
 
 class remove_rsh-server {
   package { 'rsh-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id139" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id139"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_rsh_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_rsh_removed" id="guide-tree-leaf-id140" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_r_services"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_rsh_removed"><span class="label label-default">Rule</span>  
                                 Uninstall rsh Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_rsh_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7635,15 +7635,15 @@
   - no_reboot_needed
   - package_rsh_removed
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=rsh
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_rsh
 
 class remove_rsh {
   package { 'rsh':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=rsh
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_talk"><span class="label label-default">Group</span>  
                 Chat/Messaging Services
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_talk" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_talk" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_obsolete"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_talk">[ref]</a>  
@@ -7678,15 +7678,15 @@
   - medium_severity
   - no_reboot_needed
   - package_talk-server_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=talk-server
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id148" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id148"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_talk-server
 
 class remove_talk-server {
   package { 'talk-server':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id149" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id149"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=talk-server
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_talk_removed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_talk_removed" id="guide-tree-leaf-id150" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_talk"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_talk_removed"><span class="label label-default">Rule</span>  
                                 Uninstall talk Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_talk_removed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>talk</code> package contains the client program for the
@@ -7724,15 +7724,15 @@
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 112 groups and 352 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -630,7 +630,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -675,26 +695,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2101,15 +2101,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gdm_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=gdm
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
 
 class remove_gdm {
   package { 'gdm':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=gdm
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_dconf_db_up_to_date" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_dconf_db_up_to_date" id="guide-tree-leaf-id92" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_gnome"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_dconf_db_up_to_date"><span class="label label-default">Rule</span>  
                                 Make sure that the dconf databases are up-to-date with regards to respective keyfiles
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_dconf_db_up_to_date">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">By default, DConf uses a binary database as a data backend.
@@ -2158,7 +2158,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2173,19 +2177,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id100" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9906,7 +9906,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id216"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id216" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id216"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -10030,25 +10049,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id217" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id217"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_server_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_server_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 96 groups and 267 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -630,7 +630,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -675,26 +695,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2007,7 +2007,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2022,19 +2026,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id80" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9641,7 +9641,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9765,25 +9784,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id195" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -12493,7 +12493,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l1.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l1</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 91 groups and 263 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -630,7 +630,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -675,26 +695,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2007,7 +2007,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2022,19 +2026,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id77" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id77"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id78" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id78"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id79" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id79"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id80" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9641,7 +9641,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id193" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id193"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9765,25 +9784,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id194" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id194"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id195" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -12493,7 +12493,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[customizations.services]
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cis_workstation_l2.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,7 +70,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_workstation_l2</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 105 groups and 346 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -125,7 +125,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -142,19 +146,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -630,7 +630,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -675,26 +695,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id36" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -2087,7 +2087,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -2102,19 +2106,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_add_use_pty" id="guide-tree-leaf-id95" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty"><span class="label label-default">Rule</span>  
                                 Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_add_use_pty">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>use_pty</code> tag, when specified, will only execute sudo
@@ -9835,7 +9835,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -9959,25 +9978,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" id="guide-tree-leaf-id213" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_password_storage"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow"><span class="label label-default">Rule</span>  
                                 Ensure There Are No Accounts With Blank or Null Passwords
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Check the "/etc/shadow" file for blank passwords with the
@@ -34999,7 +34999,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id338" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id338"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-cui.html	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] Unclassified Information in Non-federal Information Systems and Organizations (NIST 800-171)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 46 groups and 144 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -285,7 +285,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -297,19 +301,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure System Cryptography Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To configure the system cryptography policy to use ciphers only from the <code><abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr></code>
@@ -355,7 +355,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -400,26 +420,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure OpenSSL library to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -641,7 +641,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -656,19 +660,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -689,7 +689,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -701,19 +705,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id53" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -726,7 +726,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     dnf install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -738,19 +742,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-e8.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) Essential Eight</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_e8</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 48 groups and 98 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -621,7 +621,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT:NO-SHA1</abbr>
   tags:
@@ -666,26 +686,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id30" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -986,7 +986,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -1003,19 +1007,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -1627,7 +1627,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id67" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id67"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1751,25 +1770,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id68" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id68"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -8977,7 +8977,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id114" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id114"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -9305,20 +9319,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id116" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-hipaa.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Health Insurance Portability and Accountability Act (HIPAA)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_hipaa</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 52 groups and 135 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -503,7 +503,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -548,26 +568,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id27" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1500,7 +1500,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - enabled: false
+        name: debug-shell.service
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><pre><code>
+[customizations.services]
+disabled = ["debug-shell"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service debug-shell
   block:
 
   - name: Disable service debug-shell
@@ -1566,20 +1580,6 @@
   - medium_severity
   - no_reboot_needed
   - service_debug-shell_disabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
-[customizations.services]
-disabled = ["debug-shell"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_debug-shell
 
 class disable_debug-shell {
@@ -1956,7 +1956,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -2080,25 +2099,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id72" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id72"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 3 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -2151,7 +2151,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,
+        mode: 0600
+        path: /etc/securetty
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Direct root Logins Not Allowed
   copy:
     dest: /etc/securetty
     content: ''
@@ -2169,20 +2183,6 @@
   - no_direct_root_logins
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id76" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id76"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ism_o.html	2023-07-27 00:00:00.000000000 +0000
@@ -75,7 +75,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Australian Cyber Security Centre (ACSC) ISM Official</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ism_o</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 71 groups and 148 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -588,7 +588,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -605,19 +609,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_fips"><span class="label label-default">Group</span>  
                 Federal Information Processing Standard (FIPS)
                           <small>Group contains  1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_fips" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_fips" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_integrity"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_fips">[ref]</a>  
@@ -735,7 +735,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -780,26 +800,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" id="guide-tree-leaf-id38" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure SSH to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -862,7 +862,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -877,19 +881,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id47" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -1147,7 +1147,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><pre><code>
+[[packages]]
+name = "rear"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rear is installed
   package:
     name: rear
     state: present
@@ -1164,19 +1168,15 @@
   - medium_severity
   - no_reboot_needed
   - package_rear_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id59" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id59"><pre><code>
-[[packages]]
-name = "rear"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=rear
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rear
 
 class install_rear {
   package { 'rear':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=rear
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_updating"><span class="label label-default">Group</span>  
                 Updating Software
                           <small>Group contains 6 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_updating" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_updating" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_updating">[ref]</a>  
@@ -6095,7 +6095,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id115" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id115"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-ospp.html	2023-07-27 00:00:00.000000000 +0000
@@ -71,7 +71,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Protection Profile for General Purpose Operating Systems</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_ospp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-zipl">zIPL bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 46 groups and 144 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -275,7 +275,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -287,19 +291,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_crypto_policy" id="guide-tree-leaf-id28" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure System Cryptography Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">To configure the system cryptography policy to use ciphers only from the <code><abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr></code>
@@ -345,7 +345,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS:OSPP</abbr>
   tags:
@@ -390,26 +410,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" id="guide-tree-leaf-id32" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure OpenSSL library to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -631,7 +631,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -646,19 +650,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_system-tools"><span class="label label-default">Group</span>  
                 System Tooling / Utilities
                           <small>Group contains 4 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_system-tools" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_system-tools" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_system-tools">[ref]</a>  
@@ -679,7 +679,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -691,19 +695,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
 
 class install_gnutls-utils {
   package { 'gnutls-utils':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=gnutls-utils
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed" id="guide-tree-leaf-id53" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system-tools"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed"><span class="label label-default">Rule</span>  
                                 Install openscap-scanner Package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_openscap-scanner_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>openscap-scanner</code> package can be installed with the following command:
@@ -716,7 +716,11 @@
 if ! rpm -q --quiet "openscap-scanner" ; then
     dnf install -y "openscap-scanner"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><pre><code>
+[[packages]]
+name = "openscap-scanner"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure openscap-scanner is installed
   package:
     name: openscap-scanner
     state: present
@@ -728,19 +732,15 @@
   - medium_severity
   - no_reboot_needed
   - package_openscap-scanner_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id56" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id56"><pre><code>
-[[packages]]
-name = "openscap-scanner"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=openscap-scanner
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id58" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id58"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id57" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id57"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_openscap-scanner
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 49 groups and 123 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -457,7 +457,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -474,19 +478,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id29" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -831,7 +831,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Benchmark/Value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">DEFAULT</abbr>
   tags:
@@ -876,26 +896,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" id="guide-tree-leaf-id41" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Kerberos to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -7134,7 +7134,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7148,19 +7152,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id125" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7178,7 +7178,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7192,19 +7196,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id131" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7231,7 +7231,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id133" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id133"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7270,9 +7273,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -7676,7 +7676,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 115 groups and 495 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -132,7 +132,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -149,19 +153,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_check_audit_tools" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools"><span class="label label-default">Rule</span>  
                                 Configure AIDE to Verify the Audit Tools
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_check_audit_tools">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The operating system file integrity tool must be configured to protect the integrity of the audit tools.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Protecting the integrity of the tools used for auditing purposes is a
@@ -1556,7 +1556,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -1568,19 +1572,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id56" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1652,7 +1652,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1697,26 +1717,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Libreswan to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4249,7 +4249,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -4264,19 +4268,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id145" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -4977,7 +4977,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -4989,19 +4993,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
/usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhel9-guide-stig_gui.html	2023-07-27 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG with GUI for Red Hat Enterprise Linux 9</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig_gui</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:9 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:9</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_fapolicyd">Application Whitelisting Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_usbguard">USBGuard daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-9"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 9
                           <small>Group contains 113 groups and 492 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-9"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -138,7 +138,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -155,19 +159,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_check_audit_tools" id="guide-tree-leaf-id23" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_check_audit_tools"><span class="label label-default">Rule</span>  
                                 Configure AIDE to Verify the Audit Tools
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_check_audit_tools">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The operating system file integrity tool must be configured to protect the integrity of the audit tools.</div></td></tr><tr><td><span class="label label-primary">Rationale:</span></td><td><div class="rationale">Protecting the integrity of the tools used for auditing purposes is a
@@ -1562,7 +1562,11 @@
 if ! rpm -q --quiet "crypto-policies" ; then
     dnf install -y "crypto-policies"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id52" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id52"><pre><code>
+[[packages]]
+name = "crypto-policies"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure crypto-policies is installed
   package:
     name: crypto-policies
     state: present
@@ -1574,19 +1578,15 @@
   - medium_severity
   - no_reboot_needed
   - package_crypto-policies_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id53" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id53"><pre><code>
-[[packages]]
-name = "crypto-policies"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=crypto-policies
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id54" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id54"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_crypto-policies
 
 class install_crypto-policies {
   package { 'crypto-policies':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id55" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id55"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=crypto-policies
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" id="guide-tree-leaf-id56" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure BIND to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -1658,7 +1658,27 @@
 	echo "Error invoking the update-crypto-policies script: $stderr_of_call" &gt;&amp;2
 	false  # end with an error code
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id60" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id60"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+        - name: configure-crypto-policy.service
+          enabled: true
+          contents: |
+            [Unit]
+            Before=kubelet.service
+            [Service]
+            Type=oneshot
+            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
+            RemainAfterExit=yes
+            [Install]
+            WantedBy=multi-user.target
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: XCCDF Value var_system_crypto_policy # promote to variable
   set_fact:
     var_system_crypto_policy: !!str <abbr title="from Profile/refine-value: xccdf_org.ssgproject.content_value_var_system_crypto_policy">FIPS</abbr>
   tags:
@@ -1703,26 +1723,6 @@
   - low_disruption
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id61" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id61"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set {{.var_system_crypto_policy}}
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" id="guide-tree-leaf-id62" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_crypto"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy"><span class="label label-default">Rule</span>  
                                 Configure Libreswan to use System Crypto Policy
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
@@ -4255,7 +4255,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id141" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id141"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -4270,19 +4274,15 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=sudo
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
   package { 'sudo':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id144" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id144"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=sudo
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" id="guide-tree-leaf-id145" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_sudo"><td style="padding-left: 76px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate"><span class="label label-default">Rule</span>  
                                 Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The sudo <code>!authenticate</code> option, when specified, allows a user to execute commands using
@@ -4983,7 +4983,11 @@
 if ! rpm -q --quiet "gnutls-utils" ; then
     dnf install -y "gnutls-utils"
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><pre><code>
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure gnutls-utils is installed
   package:
     name: gnutls-utils
     state: present
@@ -4995,19 +4999,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gnutls-utils_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><pre><code>
-[[packages]]
-name = "gnutls-utils"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=gnutls-utils
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id163" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id163"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id162" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id162"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_gnutls-utils
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Virtualization Host (RHVH)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8::hypervisor is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8::hypervisor</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:enterprise_virtualization_manager:4 is applicable to this Benchmark">cpe:/a:redhat:enterprise_virtualization_manager:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHV-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Virtualization 4
                           <small>Group contains 45 groups and 116 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -445,7 +445,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -461,19 +465,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id16" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -6055,7 +6055,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id87" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id87"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id87" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id87"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id88" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id88"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -6068,19 +6072,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id88" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id88"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id91" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -6097,7 +6097,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -6110,19 +6114,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id97" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -6148,7 +6148,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -6186,9 +6189,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -6702,7 +6702,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -6823,25 +6842,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_auditing"><span class="label label-default">Group</span>  
                 System Accounting with auditd
                           <small>Group contains 9 groups and 57 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a>  
@@ -40783,7 +40783,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id283" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id283"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audispd-plugins is installed
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>[DRAFT] DISA STIG for Red Hat Virtualization Host (RHVH)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhvh-stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8::hypervisor is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8::hypervisor</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:enterprise_virtualization_manager:4 is applicable to this Benchmark">cpe:/a:redhat:enterprise_virtualization_manager:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_routing">Network Routing</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHV-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Virtualization 4
                           <small>Group contains 101 groups and 375 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -563,7 +563,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -579,19 +583,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id19" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -1757,15 +1757,15 @@
   - medium_severity
   - no_reboot_needed
   - package_gdm_removed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
-package --remove=gdm
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id70" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id70"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>include remove_gdm
 
 class remove_gdm {
   package { 'gdm':
     ensure =&gt; 'purged',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id71" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id71"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>
+package --remove=gdm
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_sudo"><span class="label label-default">Group</span>  
                 Sudo
                           <small>Group contains 2 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_sudo" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_sudo" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_software"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_sudo">[ref]</a>  
@@ -9307,7 +9307,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure tmux is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><pre><code>
+[[packages]]
+name = "tmux"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure tmux is installed
   package:
     name: tmux
     state: present
@@ -9321,19 +9325,15 @@
   - medium_severity
   - no_reboot_needed
   - package_tmux_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id159" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id159"><pre><code>
-[[packages]]
-name = "tmux"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=tmux
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_tmux
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id160" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id160"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_tmux
 
 class install_tmux {
   package { 'tmux':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=tmux
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px" id="xccdf_org.ssgproject.content_group_smart_card_login"><span class="label label-default">Group</span>  
                 Hardware Tokens for Authentication
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_smart_card_login" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_smart_card_login" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_screen_locking"><td style="padding-left: 95px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_smart_card_login">[ref]</a>  
@@ -9367,7 +9367,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id164" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id164"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -9380,19 +9384,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id165" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id165"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id166" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id166"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id167" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id167"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id168" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -9409,7 +9409,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id170" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id170"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -9422,19 +9426,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id171" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id171"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id172" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id172"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id173" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id173"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id174" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -9460,7 +9460,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -9498,9 +9501,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -9734,7 +9734,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
/usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-rhv4-guide-rhvh-vpp.html	2023-07-27 00:00:00.000000000 +0000
@@ -90,7 +90,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>VPP - Protection Profile for Virtualization v. 1.0 for Red Hat Virtualization Host (RHVH)</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_rhvh-vpp</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:8::hypervisor is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:8::hypervisor</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/a:redhat:enterprise_virtualization_manager:4 is applicable to this Benchmark">cpe:/a:redhat:enterprise_virtualization_manager:4</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li><li><a href="#xccdf_org.ssgproject.content_group_selinux">SELinux</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHV-4"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Virtualization 4
                           <small>Group contains 49 groups and 144 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHV-4"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -7484,7 +7484,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[[packages]]
+name = "opensc"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc is installed
   package:
     name: opensc
     state: present
@@ -7497,19 +7501,15 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[[packages]]
-name = "opensc"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=opensc
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc
 
 class install_opensc {
   package { 'opensc':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=opensc
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed" id="guide-tree-leaf-id108" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed"><span class="label label-default">Rule</span>  
                                 Install the pcsc-lite package
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_package_pcsc-lite_installed">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">The <code>pcsc-lite</code> package can be installed with the following command:
@@ -7526,7 +7526,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id110" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id110"><pre><code>
+[[packages]]
+name = "pcsc-lite"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id111" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id111"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure pcsc-lite is installed
   package:
     name: pcsc-lite
     state: present
@@ -7539,19 +7543,15 @@
   - medium_severity
   - no_reboot_needed
   - package_pcsc-lite_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id111" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id111"><pre><code>
-[[packages]]
-name = "pcsc-lite"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=pcsc-lite
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id112" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id112"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_pcsc-lite
 
 class install_pcsc-lite {
   package { 'pcsc-lite':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id113" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id113"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=pcsc-lite
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_service_pcscd_enabled" id="guide-tree-leaf-id114" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_smart_card_login"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_service_pcscd_enabled"><span class="label label-default">Rule</span>  
                                 Enable the pcscd Service
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_service_pcscd_enabled">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">
@@ -7577,7 +7577,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><pre><code>
+[customizations.services]
+enabled = ["pcscd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service pcscd
   block:
 
   - name: Gather the package facts
@@ -7615,9 +7618,6 @@
   - medium_severity
   - no_reboot_needed
   - service_pcscd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><pre><code>
-[customizations.services]
-enabled = ["pcscd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_pcscd
 
 class enable_pcscd {
@@ -8361,7 +8361,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id142" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id142"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -8482,25 +8501,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id143" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id143"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px" id="xccdf_org.ssgproject.content_group_root_logins"><span class="label label-default">Group</span>  
                 Restrict Root Logins
                           <small>Group contains 5 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_root_logins" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_root_logins" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts-restrictions"><td style="padding-left: 76px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_root_logins">[ref]</a>  
@@ -46247,7 +46247,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: auditd.service
+        enabled: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id343" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id343"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id344"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46313,20 +46327,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id343" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id343"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id344" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id344"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-pci-dss.html	2023-07-27 00:00:00.000000000 +0000
@@ -74,7 +74,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>PCI-DSS v3.2.1 Control Baseline for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_pci-dss</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:scientificlinux:scientificlinux:7 is applicable to this Benchmark">cpe:/o:scientificlinux:scientificlinux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 47 groups and 96 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -463,7 +463,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -480,19 +484,15 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id12" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id12"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
-package --add=aide
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
   package { 'aide':
     ensure =&gt; 'installed',
   }
 }
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Anaconda snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
+package --add=aide
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_aide_build_database" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_aide_build_database" id="guide-tree-leaf-id15" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_aide"><td style="padding-left: 114px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_aide_build_database"><span class="label label-default">Rule</span>  
                                 Build and Test AIDE Database
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_aide_build_database">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">Run the following command to generate a new database:
@@ -6737,7 +6737,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -6861,25 +6880,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px" id="xccdf_org.ssgproject.content_group_auditing"><span class="label label-default">Group</span>  
                 System Accounting with auditd
                           <small>Group contains 9 groups and 41 rules</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_auditing" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_auditing" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_system"><td style="padding-left: 38px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_auditing">[ref]</a>  
@@ -19135,7 +19135,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id153" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id153"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -19459,20 +19473,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id154" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id154"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id155" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -19824,7 +19824,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id157" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id157"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -20141,20 +20155,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id158" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id158"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id159" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -20518,7 +20518,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id161" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id161"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
/usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-sl7-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -76,7 +76,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Red Hat Enterprise Linux 7</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::client is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::client</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::computenode is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::computenode</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::server is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::server</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7::workstation is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7::workstation</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:redhat:enterprise_linux:7 is applicable to this Benchmark">cpe:/o:redhat:enterprise_linux:7</span></li><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:scientificlinux:scientificlinux:7 is applicable to this Benchmark">cpe:/o:scientificlinux:scientificlinux:7</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_RHEL-7"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Red Hat Enterprise Linux 7
                           <small>Group contains 28 groups and 51 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_RHEL-7"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -905,7 +905,26 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/password-auth
+        overwrite: true
+      - contents:
+          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
+        mode: 0644
+        path: /etc/pam.d/system-auth
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Strategy:</th><td>configure</td></tr></table><pre><code>- name: Prevent Login to Accounts With Empty Password - Check if system relies on
     authselect
   ansible.builtin.stat:
     path: /usr/bin/authselect
@@ -1029,25 +1048,6 @@
   - medium_disruption
   - no_empty_passwords
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px" id="xccdf_org.ssgproject.content_group_accounts-session"><span class="label label-default">Group</span>  
                 Secure Session Configuration Files for Login Accounts
                           <small>Group contains  1 group and 1 rule</small></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_group_accounts-session" class="guide-tree-inner-node guide-tree-inner-node-id-xccdf_org.ssgproject.content_group_accounts-session" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_accounts"><td style="padding-left: 57px"><div><a class="small" href="#xccdf_org.ssgproject.content_group_accounts-session">[ref]</a>  
@@ -12931,7 +12931,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13255,20 +13269,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" id="guide-tree-leaf-id83" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through clock_settime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -13620,7 +13620,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -13937,20 +13951,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" id="guide-tree-leaf-id87" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday"><span class="label label-default">Rule</span>  
                                 Record attempts to alter time through settimeofday
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -14314,7 +14314,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id89" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id89"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
+        overwrite: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -14639,20 +14653,6 @@
   - medium_severity
   - no_reboot_needed
   - restrict_strategy
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>restrict</td></tr></table><pre><code>---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
-        overwrite: true
 </code></pre></div></div></td></tr></tbody></table></td></tr><tr data-tt-id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" class="guide-tree-leaf guide-tree-leaf-id-xccdf_org.ssgproject.content_rule_audit_rules_time_stime" id="guide-tree-leaf-id91" data-tt-parent-id="children-xccdf_org.ssgproject.content_group_audit_time_rules"><td style="padding-left: 95px"><table class="table table-striped table-bordered"><tbody><tr><td colspan="2"><h4 id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime"><span class="label label-default">Rule</span>  
                                 Record Attempts to Alter Time Through stime
                                   <a class="small" href="#xccdf_org.ssgproject.content_rule_audit_rules_time_stime">[ref]</a></h4></td></tr><tr><td colspan="2"><div class="description">If the <code>auditd</code> daemon is configured to use the
@@ -15020,7 +15020,21 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
/usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,30 +45,6 @@
   <tbody>
   <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall telnet-server Package</td>
-      <td xml:lang="en-US">
-        The <code>telnet-server</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase telnet-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-<br />
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-<br />
-Removing the <tt>telnet-server</tt> package decreases the risk of the
-telnet service's accidental (or intentional) activation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
       <td>Uninstall ypserv Package</td>
       <td xml:lang="en-US">
         The <code>ypserv</code> package can be removed with the following command:
@@ -86,6 +62,27 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
+      <td>Ensure SMEP is not disabled during boot</td>
+      <td xml:lang="en-US">
+        The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the <tt>nosmep</tt> boot paramenter option.
+
+Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+doesn't contain the argument <tt>nosmep</tt>.
+Run the following command to update command line for already installed kernels:
+<pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+      </td>
+      <td xml:lang="en-US">
+        Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
+      </td>
+    </tr>
+    <tr>
+      <td>BP28(R1)</td>
       <td>Ensure SMAP is not disabled during boot</td>
       <td xml:lang="en-US">
         The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -106,56 +103,6 @@
       </td>
     </tr>
     <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall DHCP Server Package</td>
-      <td xml:lang="en-US">
-        If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The <code>dhcp</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase dhcp</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall tftp-server Package</td>
-      <td xml:lang="en-US">
-        The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-<br /><br />
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Install the dracut-fips-aesni Package</td>
-      <td xml:lang="en-US">
-        To enable FIPS on system that support the Advanced Encryption Standard (AES) or New
-Instructions (AES-NI) engine, the system requires that the <tt>dracut-fips-aesni</tt>
-package be installed.
-The <code>dracut-fips-aesni</code> package can be installed with the following command:
-<pre>
-$ sudo yum install dracut-fips-aesni</pre>
-      </td>
-      <td xml:lang="en-US">
-        Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.
-      </td>
-    </tr>
-    <tr>
       <td>BP28(R1)<br/>NT007(R03)</td>
       <td>Uninstall the telnet server</td>
       <td xml:lang="en-US">
@@ -169,35 +116,26 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove tftp Daemon</td>
-      <td xml:lang="en-US">
-        Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
-      </td>
-      <td xml:lang="en-US">
-        It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall talk Package</td>
+      <td>Uninstall telnet-server Package</td>
       <td xml:lang="en-US">
-        The <tt>talk</tt> package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The <code>talk</code> package can be removed with the following command:
+        The <code>telnet-server</code> package can be removed with the following command:
 <pre>
-$ sudo yum erase talk</pre>
+$ sudo yum erase telnet-server</pre>
       </td>
       <td xml:lang="en-US">
-        The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the <tt>talk</tt> package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+        It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+<br />
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+<br />
+Removing the <tt>telnet-server</tt> package decreases the risk of the
+telnet service's accidental (or intentional) activation.
       </td>
     </tr>
     <tr>
@@ -222,29 +160,49 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall xinetd Package</td>
+      <td>Install the dracut-fips-aesni Package</td>
       <td xml:lang="en-US">
-        The <code>xinetd</code> package can be removed with the following command:
+        To enable FIPS on system that support the Advanced Encryption Standard (AES) or New
+Instructions (AES-NI) engine, the system requires that the <tt>dracut-fips-aesni</tt>
+package be installed.
+The <code>dracut-fips-aesni</code> package can be installed with the following command:
 <pre>
-$ sudo yum erase xinetd</pre>
+$ sudo yum install dracut-fips-aesni</pre>
       </td>
       <td xml:lang="en-US">
-        Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+        Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
+protect data. The operating system must implement cryptographic modules adhering to the higher
+standards approved by the federal government since this provides assurance they have been tested
+and validated.
       </td>
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove telnet Clients</td>
+      <td>Uninstall DHCP Server Package</td>
       <td xml:lang="en-US">
/usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,57 +44,6 @@
   </thead>
   <tbody>
   <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Emergency Systemd Target</td>
-      <td xml:lang="en-US">
-        Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Single User Mode</td>
-      <td xml:lang="en-US">
-        Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1</td>
-      <td>Disable GDM Automatic Login</td>
-      <td xml:lang="en-US">
-        The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
-      </td>
-      <td xml:lang="en-US">
-        Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-      </td>
-    </tr>
-    <tr>
       <td>3.1.1<br/>3.1.6</td>
       <td>Direct root Logins Not Allowed</td>
       <td xml:lang="en-US">
@@ -139,6 +88,55 @@
     </tr>
     <tr>
       <td>3.1.1<br/>3.1.5</td>
+      <td>Restrict Serial Port Root Logins</td>
+      <td xml:lang="en-US">
+        To restrict root logins on serial ports,
+ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
+<pre>ttyS0
+ttyS1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Single User Mode</td>
+      <td xml:lang="en-US">
+        Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+<br /><br />
+By default, single-user mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/rescue.service</tt>.
+      </td>
+      <td xml:lang="en-US">
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1</td>
+      <td>Disable GDM Automatic Login</td>
+      <td xml:lang="en-US">
+        The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
+      </td>
+      <td xml:lang="en-US">
+        Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.1.5</td>
       <td>Disable SSH Access via Empty Passwords</td>
       <td xml:lang="en-US">
         Disallow SSH login with empty passwords.
@@ -163,18 +161,20 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.1<br/>3.1.5</td>
-      <td>Restrict Serial Port Root Logins</td>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Emergency Systemd Target</td>
       <td xml:lang="en-US">
-        To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
+        Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
       </td>
       <td xml:lang="en-US">
-        Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
       </td>
     </tr>
     <tr>
@@ -258,10 +258,9 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
+      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by an argument in
-<tt>/etc/default/grub</tt>.
+        SELinux can be disabled at boot time by disabling it via a kernel argument.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -273,9 +272,10 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
+      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by disabling it via a kernel argument.
+        SELinux can be disabled at boot time by an argument in
+<tt>/etc/default/grub</tt>.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -286,21 +286,27 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.2<br/>3.1.5<br/>3.7.2</td>
-      <td>Ensure No Daemons are Unconfined by SELinux</td>
+      <td>3.1.2<br/>3.4.5</td>
+      <td>Verify that Interactive Boot is Disabled</td>
       <td xml:lang="en-US">
-        Daemons for which the SELinux policy does not contain rules will inherit the
-context of the parent process. Because daemons are launched during
-startup and descend from the <tt>init</tt> process, they inherit the <tt>unconfined_service_t</tt> context.
-<br />
-<br />
-To check for unconfined daemons, run the following command:
-<pre>$ sudo ps -eZ | grep "unconfined_service_t"</pre>
-It should produce no output in a well-configured system.
+        Oracle Linux 7 systems support an "interactive boot" option that can
+be used to prevent services from being started. On a Oracle Linux 7
+system, interactive boot can be enabled by providing a <tt>1</tt>,
+<tt>yes</tt>, <tt>true</tt>, or <tt>on</tt> value to the
+<tt>systemd.confirm_spawn</tt> kernel argument in <tt>/etc/default/grub</tt>.
+Remove any instance of <pre>systemd.confirm_spawn=(1|yes|true|on)</pre> from
+the kernel arguments in that file to disable interactive boot.
+Recovery booting must also be disabled. Confirm that
+<tt>GRUB_DISABLE_RECOVERY=true</tt> is set in  <tt>/etc/default/grub</tt>.
+It is also required to change the runtime configuration, run:
+
/usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,161 +44,48 @@
   </thead>
   <tbody>
   <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
-      <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Permission Changes to Files - fremovexattr</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - unlinkat</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record attempts to alter time through adjtimex</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-      </td>
-      <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Events that Modify the System's Discretionary Access Controls - fchmodat</td>
-      <td xml:lang="en-US">
-        At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
 If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
 utility to read audit rules during daemon startup, add the following line to
 <tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
 If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
-      </td>
-      <td xml:lang="en-US">
-        The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
-      <td>Record Attempts to Alter Time Through stime</td>
-      <td xml:lang="en-US">
-        If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt> for both 32 bit and 64 bit systems:
-<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
-Since the 64 bit version of the "stime" system call is not defined in the audit
-lookup table, the corresponding "-F arch=b64" form of this rule is not expected
-to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
-form itself is sufficient for both 32 bit and 64 bit systems). If the
-<tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to
-read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file for both 32 bit and 64 bit systems:
-<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
-Since the 64 bit version of the "stime" system call is not defined in the audit
-lookup table, the corresponding "-F arch=b64" form of this rule is not expected
-to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
-form itself is sufficient for both 32 bit and 64 bit systems). The -k option
-allows for the specification of a key in string form that can be used for
-better reporting capability through ausearch and aureport. Multiple system
-calls can be defined on the same line to save space if desired, but is not
-required. See an example of multiple combined system calls:
+<pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
+The -k option allows for the specification of a key in string form that can be
+used for better reporting capability through ausearch and aureport. Multiple
+system calls can be defined on the same line to save space if desired, but is
+not required. See an example of multiple combined syscalls:
 <pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
       </td>
       <td xml:lang="en-US">
@@ -210,130 +97,82 @@
     </tr>
     <tr>
       <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Ownership Changes to Files - chown</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
/usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-ospprefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
   <tbody>
   <tr>
       <td>AGD_PRE.1<br/>AGD_OPE.1</td>
+      <td>Install openscap-scanner Package</td>
+      <td xml:lang="en-US">
+        The <code>openscap-scanner</code> package can be installed with the following command:
+<pre>
+$ sudo yum install openscap-scanner</pre>
+      </td>
+      <td xml:lang="en-US">
+        <tt>openscap-scanner</tt> contains the <tt>oscap</tt> command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
+      </td>
+    </tr>
+    <tr>
+      <td>AGD_PRE.1<br/>AGD_OPE.1</td>
       <td>Install scap-security-guide Package</td>
       <td xml:lang="en-US">
         The <code>scap-security-guide</code> package can be installed with the following command:
@@ -64,17 +78,24 @@
       </td>
     </tr>
     <tr>
-      <td>AGD_PRE.1<br/>AGD_OPE.1</td>
-      <td>Install openscap-scanner Package</td>
+      <td>FAU_GEN.1</td>
+      <td>Enable Auditing for Processes Which Start Prior to the Audit Daemon</td>
       <td xml:lang="en-US">
-        The <code>openscap-scanner</code> package can be installed with the following command:
-<pre>
-$ sudo yum install openscap-scanner</pre>
+        To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that <tt>audit=1</tt> is added as a kernel command line
+argument to newly installed kernels, add <tt>audit=1</tt> to the
+default Grub2 command line for Linux operating systems. Modify the line within
+<tt>/etc/default/grub</tt> as shown below:
+<pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
+Run the following command to update command line for already installed kernels:<pre># grubby --update-kernel=ALL --args="audit=1"</pre>
       </td>
       <td xml:lang="en-US">
-        <tt>openscap-scanner</tt> contains the <tt>oscap</tt> command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
+        Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although <tt>auditd</tt> takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
       </td>
     </tr>
     <tr>
@@ -93,36 +114,12 @@
     </tr>
     <tr>
       <td>FAU_GEN.1</td>
-      <td>Include Local Events in Audit Logs</td>
-      <td xml:lang="en-US">
-        To configure Audit daemon to include local events in Audit logs, set
-<tt>local_events</tt> to <tt>yes</tt> in <tt>/etc/audit/auditd.conf</tt>.
-This is the default setting.
-      </td>
-      <td xml:lang="en-US">
-        If option <tt>local_events</tt> isn't set to <tt>yes</tt> only events from
-network will be aggregated.
-      </td>
-    </tr>
-    <tr>
-      <td>FAU_GEN.1</td>
-      <td>Enable Auditing for Processes Which Start Prior to the Audit Daemon</td>
+      <td>Ensure the audit Subsystem is Installed</td>
       <td xml:lang="en-US">
-        To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that <tt>audit=1</tt> is added as a kernel command line
-argument to newly installed kernels, add <tt>audit=1</tt> to the
-default Grub2 command line for Linux operating systems. Modify the line within
-<tt>/etc/default/grub</tt> as shown below:
-<pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
-Run the following command to update command line for already installed kernels:<pre># grubby --update-kernel=ALL --args="audit=1"</pre>
+        The audit package should be installed.
       </td>
       <td xml:lang="en-US">
-        Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although <tt>auditd</tt> takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+        The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
       </td>
     </tr>
     <tr>
@@ -149,12 +146,15 @@
     </tr>
     <tr>
       <td>FAU_GEN.1</td>
-      <td>Ensure the audit Subsystem is Installed</td>
+      <td>Include Local Events in Audit Logs</td>
       <td xml:lang="en-US">
-        The audit package should be installed.
+        To configure Audit daemon to include local events in Audit logs, set
+<tt>local_events</tt> to <tt>yes</tt> in <tt>/etc/audit/auditd.conf</tt>.
+This is the default setting.
       </td>
       <td xml:lang="en-US">
-        The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+        If option <tt>local_events</tt> isn't set to <tt>yes</tt> only events from
+network will be aggregated.
       </td>
     </tr>
     <tr>
@@ -180,142 +180,149 @@
     </tr>
     <tr>
       <td>FAU_GEN.1.1.c</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
       <td>FAU_GEN.1.1.c</td>
-      <td>Ensure auditd Collects System Administrator Actions</td>
+      <td>Record Attempts to Alter Process and Session Initiation Information</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect administrator actions
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions</pre>
+        The audit system already collects process information for all
+users and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing such process information:
+<pre>-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for attempted manual
+edits of files involved in storing such process information:
+<pre>-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session</pre>
       </td>
       <td xml:lang="en-US">
/usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol7-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,7 +45,7 @@
   <tbody>
   <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for IPv6 loopback traffic</td>
+      <td>Set configuration for loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -54,14 +54,14 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen, all
+other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
     <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for loopback traffic</td>
+      <td>Set configuration for IPv6 loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -70,8 +70,8 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen, all
-other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
@@ -149,20 +149,6 @@
     </tr>
     <tr>
       <td>Req-1.4.1</td>
-      <td>Install iptables Package</td>
-      <td xml:lang="en-US">
-        The <code>iptables</code> package can be installed with the following command:
-<pre>
-$ sudo yum install iptables</pre>
-      </td>
-      <td xml:lang="en-US">
-        <tt>iptables</tt> controls the Linux kernel network packet filtering
-code. <tt>iptables</tt> allows system operators to set up firewalls and IP
-masquerading, etc.
-      </td>
-    </tr>
-    <tr>
-      <td>Req-1.4.1</td>
       <td>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</td>
       <td xml:lang="en-US">
         To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre>
@@ -178,6 +164,20 @@
       </td>
     </tr>
     <tr>
+      <td>Req-1.4.1</td>
+      <td>Install iptables Package</td>
+      <td xml:lang="en-US">
+        The <code>iptables</code> package can be installed with the following command:
+<pre>
+$ sudo yum install iptables</pre>
+      </td>
+      <td xml:lang="en-US">
+        <tt>iptables</tt> controls the Linux kernel network packet filtering
+code. <tt>iptables</tt> allows system operators to set up firewalls and IP
+masquerading, etc.
+      </td>
+    </tr>
+    <tr>
       <td>Req-1.4.2</td>
       <td>Disable SCTP Support</td>
       <td xml:lang="en-US">
@@ -222,17 +222,35 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
+      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
+        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
       </td>
       <td xml:lang="en-US">
-        Responding to broadcast (ICMP) echoes facilitates network mapping
-and provides a vector for amplification attacks.
-<br />
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast
-addresses makes the system slightly more difficult to enumerate on the network.
+        Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+      </td>
+    </tr>
+    <tr>
+      <td>Req-1.4.3</td>
+      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td xml:lang="en-US">
+        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
       </td>
     </tr>
     <tr>
@@ -250,17 +268,14 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+        Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
       </td>
     </tr>
     <tr>
@@ -281,32 +296,17 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
-      <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
-      </td>
-      <td xml:lang="en-US">
-        Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
-      </td>
-    </tr>
-    <tr>
-      <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
+      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+        Responding to broadcast (ICMP) echoes facilitates network mapping
+and provides a vector for amplification attacks.
+<br />
+Ignoring ICMP echo requests (pings) sent to broadcast or multicast
+addresses makes the system slightly more difficult to enumerate on the network.
       </td>
     </tr>
     <tr>
@@ -327,6 +327,23 @@
     </tr>
     <tr>
       <td>Req-2.2.2</td>
+      <td>Uninstall ypserv Package</td>
+      <td xml:lang="en-US">
+        The <code>ypserv</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase ypserv</pre>
+      </td>
/usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,30 +45,6 @@
   <tbody>
   <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall telnet-server Package</td>
-      <td xml:lang="en-US">
-        The <code>telnet-server</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase telnet-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-<br />
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-<br />
-Removing the <tt>telnet-server</tt> package decreases the risk of the
-telnet service's accidental (or intentional) activation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
       <td>Uninstall ypserv Package</td>
       <td xml:lang="en-US">
         The <code>ypserv</code> package can be removed with the following command:
@@ -86,6 +62,27 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
+      <td>Ensure SMEP is not disabled during boot</td>
+      <td xml:lang="en-US">
+        The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the <tt>nosmep</tt> boot paramenter option.
+
+Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+doesn't contain the argument <tt>nosmep</tt>.
+Run the following command to update command line for already installed kernels:
+<pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+      </td>
+      <td xml:lang="en-US">
+        Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
+      </td>
+    </tr>
+    <tr>
+      <td>BP28(R1)</td>
       <td>Ensure SMAP is not disabled during boot</td>
       <td xml:lang="en-US">
         The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -106,38 +103,6 @@
       </td>
     </tr>
     <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall DHCP Server Package</td>
-      <td xml:lang="en-US">
-        If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The <code>dhcp-server</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase dhcp-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall tftp-server Package</td>
-      <td xml:lang="en-US">
-        The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-<br /><br />
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
-      </td>
-    </tr>
-    <tr>
       <td>BP28(R1)<br/>NT007(R03)</td>
       <td>Uninstall the telnet server</td>
       <td xml:lang="en-US">
@@ -151,35 +116,26 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove tftp Daemon</td>
-      <td xml:lang="en-US">
-        Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
-      </td>
-      <td xml:lang="en-US">
-        It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall talk Package</td>
+      <td>Uninstall telnet-server Package</td>
       <td xml:lang="en-US">
-        The <tt>talk</tt> package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The <code>talk</code> package can be removed with the following command:
+        The <code>telnet-server</code> package can be removed with the following command:
 <pre>
-$ sudo yum erase talk</pre>
+$ sudo yum erase telnet-server</pre>
       </td>
       <td xml:lang="en-US">
-        The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the <tt>talk</tt> package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+        It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+<br />
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+<br />
+Removing the <tt>telnet-server</tt> package decreases the risk of the
+telnet service's accidental (or intentional) activation.
       </td>
     </tr>
     <tr>
@@ -204,29 +160,31 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall xinetd Package</td>
+      <td>Uninstall DHCP Server Package</td>
       <td xml:lang="en-US">
-        The <code>xinetd</code> package can be removed with the following command:
+        If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The <code>dhcp-server</code> package can be removed with the following command:
 <pre>
-$ sudo yum erase xinetd</pre>
+$ sudo yum erase dhcp-server</pre>
       </td>
       <td xml:lang="en-US">
-        Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+        Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
       </td>
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove telnet Clients</td>
+      <td>Uninstall xinetd Package</td>
       <td xml:lang="en-US">
-        The telnet client allows users to start connections to other systems via
-the telnet protocol.
+        The <code>xinetd</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase xinetd</pre>
       </td>
       <td xml:lang="en-US">
-        The <tt>telnet</tt> protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The <tt>ssh</tt> package provides an
-encrypted session and stronger security and is included in Oracle Linux 8.
+        Removing the <tt>xinetd</tt> package decreases the risk of the
+xinetd service's accidental (or intentional) activation.
       </td>
     </tr>
     <tr>
@@ -248,6 +206,34 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
/usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,57 +44,6 @@
   </thead>
   <tbody>
   <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Emergency Systemd Target</td>
-      <td xml:lang="en-US">
-        Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Single User Mode</td>
-      <td xml:lang="en-US">
-        Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1</td>
-      <td>Disable GDM Automatic Login</td>
-      <td xml:lang="en-US">
-        The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
-      </td>
-      <td xml:lang="en-US">
-        Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-      </td>
-    </tr>
-    <tr>
       <td>3.1.1<br/>3.1.6</td>
       <td>Direct root Logins Not Allowed</td>
       <td xml:lang="en-US">
@@ -139,6 +88,55 @@
     </tr>
     <tr>
       <td>3.1.1<br/>3.1.5</td>
+      <td>Restrict Serial Port Root Logins</td>
+      <td xml:lang="en-US">
+        To restrict root logins on serial ports,
+ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
+<pre>ttyS0
+ttyS1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Single User Mode</td>
+      <td xml:lang="en-US">
+        Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+<br /><br />
+By default, single-user mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/rescue.service</tt>.
+      </td>
+      <td xml:lang="en-US">
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1</td>
+      <td>Disable GDM Automatic Login</td>
+      <td xml:lang="en-US">
+        The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
+      </td>
+      <td xml:lang="en-US">
+        Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.1.5</td>
       <td>Disable SSH Access via Empty Passwords</td>
       <td xml:lang="en-US">
         Disallow SSH login with empty passwords.
@@ -163,18 +161,20 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.1<br/>3.1.5</td>
-      <td>Restrict Serial Port Root Logins</td>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Emergency Systemd Target</td>
       <td xml:lang="en-US">
-        To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
+        Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
       </td>
       <td xml:lang="en-US">
-        Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
       </td>
     </tr>
     <tr>
@@ -258,10 +258,9 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
+      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by an argument in
-<tt>/etc/default/grub</tt>.
+        SELinux can be disabled at boot time by disabling it via a kernel argument.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -273,9 +272,10 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
+      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by disabling it via a kernel argument.
+        SELinux can be disabled at boot time by an argument in
+<tt>/etc/default/grub</tt>.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -286,21 +286,27 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.2<br/>3.1.5<br/>3.7.2</td>
-      <td>Ensure No Daemons are Unconfined by SELinux</td>
+      <td>3.1.2<br/>3.4.5</td>
+      <td>Verify that Interactive Boot is Disabled</td>
       <td xml:lang="en-US">
-        Daemons for which the SELinux policy does not contain rules will inherit the
-context of the parent process. Because daemons are launched during
-startup and descend from the <tt>init</tt> process, they inherit the <tt>unconfined_service_t</tt> context.
-<br />
-<br />
-To check for unconfined daemons, run the following command:
-<pre>$ sudo ps -eZ | grep "unconfined_service_t"</pre>
-It should produce no output in a well-configured system.
+        Oracle Linux 8 systems support an "interactive boot" option that can
+be used to prevent services from being started. On a Oracle Linux 8
+system, interactive boot can be enabled by providing a <tt>1</tt>,
+<tt>yes</tt>, <tt>true</tt>, or <tt>on</tt> value to the
+<tt>systemd.confirm_spawn</tt> kernel argument in <tt>/etc/default/grub</tt>.
+Remove any instance of <pre>systemd.confirm_spawn=(1|yes|true|on)</pre> from
+the kernel arguments in that file to disable interactive boot.
+Recovery booting must also be disabled. Confirm that
+<tt>GRUB_DISABLE_RECOVERY=true</tt> is set in  <tt>/etc/default/grub</tt>.
+It is also required to change the runtime configuration, run:
+
/usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,137 +44,47 @@
   </thead>
   <tbody>
   <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
-      <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2<br/>CM-8(3)<br/>IA-3</td>
-      <td>Log USBGuard daemon audit events using Linux Audit</td>
-      <td xml:lang="en-US">
-        To configure USBGuard daemon to log via Linux Audit
-(as opposed directly to a file),
-<tt>AuditBackend</tt> option in <tt>/etc/usbguard/usbguard-daemon.conf</tt>
-needs to be set to <tt>LinuxAudit</tt>.
-      </td>
-      <td xml:lang="en-US">
-        Using the Linux Audit logging allows for centralized trace
-of events.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Permission Changes to Files - fremovexattr</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(a)</td>
-      <td>Configure auditing of unsuccessful ownership changes</td>
-      <td xml:lang="en-US">
-        Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
-
-The following rules configure audit as described above:
-<pre>## Unsuccessful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change    </pre>
-
-Load new Audit rules into kernel by running:
-<pre>augenrules --load</pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - unlinkat</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
       <td>AU-2(a)</td>
-      <td>Configure auditing of successful file creations</td>
+      <td>Configure auditing of unsuccessful file modifications</td>
       <td xml:lang="en-US">
-        Ensure that successful attempts to create a file are audited.
+        Ensure that unsuccessful attempts to modify a file are audited.
 
 The following rules configure audit as described above:
-<pre>## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create    </pre>
+<pre>## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification    </pre>
 
 Load new Audit rules into kernel by running:
 <pre>augenrules --load</pre>
@@ -182,83 +92,30 @@
 Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
       </td>
       <td xml:lang="en-US">
-        Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.
+        Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
       </td>
     </tr>
     <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record attempts to alter time through adjtimex</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-      </td>
-      <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
/usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html differs (HTML document, ASCII text)
--- old//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-ol8-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,7 +45,7 @@
   <tbody>
   <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for IPv6 loopback traffic</td>
+      <td>Set configuration for loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -54,14 +54,14 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen, all
+other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
     <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for loopback traffic</td>
+      <td>Set configuration for IPv6 loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -70,8 +70,8 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen, all
-other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
@@ -149,20 +149,6 @@
     </tr>
     <tr>
       <td>Req-1.4.1</td>
-      <td>Install iptables Package</td>
-      <td xml:lang="en-US">
-        The <code>iptables</code> package can be installed with the following command:
-<pre>
-$ sudo yum install iptables</pre>
-      </td>
-      <td xml:lang="en-US">
-        <tt>iptables</tt> controls the Linux kernel network packet filtering
-code. <tt>iptables</tt> allows system operators to set up firewalls and IP
-masquerading, etc.
-      </td>
-    </tr>
-    <tr>
-      <td>Req-1.4.1</td>
       <td>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</td>
       <td xml:lang="en-US">
         To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre>
@@ -178,6 +164,20 @@
       </td>
     </tr>
     <tr>
+      <td>Req-1.4.1</td>
+      <td>Install iptables Package</td>
+      <td xml:lang="en-US">
+        The <code>iptables</code> package can be installed with the following command:
+<pre>
+$ sudo yum install iptables</pre>
+      </td>
+      <td xml:lang="en-US">
+        <tt>iptables</tt> controls the Linux kernel network packet filtering
+code. <tt>iptables</tt> allows system operators to set up firewalls and IP
+masquerading, etc.
+      </td>
+    </tr>
+    <tr>
       <td>Req-1.4.2</td>
       <td>Disable SCTP Support</td>
       <td xml:lang="en-US">
@@ -222,17 +222,35 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
+      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
+        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
       </td>
       <td xml:lang="en-US">
-        Responding to broadcast (ICMP) echoes facilitates network mapping
-and provides a vector for amplification attacks.
-<br />
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast
-addresses makes the system slightly more difficult to enumerate on the network.
+        Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+      </td>
+    </tr>
+    <tr>
+      <td>Req-1.4.3</td>
+      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td xml:lang="en-US">
+        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
       </td>
     </tr>
     <tr>
@@ -250,17 +268,14 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+        Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
       </td>
     </tr>
     <tr>
@@ -281,32 +296,33 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
+      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
+        Responding to broadcast (ICMP) echoes facilitates network mapping
+and provides a vector for amplification attacks.
+<br />
+Ignoring ICMP echo requests (pings) sent to broadcast or multicast
+addresses makes the system slightly more difficult to enumerate on the network.
       </td>
     </tr>
     <tr>
-      <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
+      <td>Req-2.2</td>
+      <td>Configure SSH to use System Crypto Policy</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
+        Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+SSH is supported by crypto policy, but the SSH configuration may be
+set up to ignore it.
+To check that Crypto Policies settings are configured correctly, ensure that
+the <tt>CRYPTO_POLICY</tt> variable is either commented or not set at all
+in the <tt>/etc/sysconfig/sshd</tt>.
       </td>
       <td xml:lang="en-US">
-        Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+        Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
+and makes system configuration more fragmented.
       </td>
     </tr>
     <tr>
/usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhcos4-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,137 +44,47 @@
   </thead>
   <tbody>
   <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
-      <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2<br/>CM-8(3)<br/>IA-3</td>
-      <td>Log USBGuard daemon audit events using Linux Audit</td>
-      <td xml:lang="en-US">
-        To configure USBGuard daemon to log via Linux Audit
-(as opposed directly to a file),
-<tt>AuditBackend</tt> option in <tt>/etc/usbguard/usbguard-daemon.conf</tt>
-needs to be set to <tt>LinuxAudit</tt>.
-      </td>
-      <td xml:lang="en-US">
-        Using the Linux Audit logging allows for centralized trace
-of events.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Permission Changes to Files - fremovexattr</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(a)</td>
-      <td>Configure auditing of unsuccessful ownership changes</td>
-      <td xml:lang="en-US">
-        Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
-
-The following rules configure audit as described above:
-<pre>## Unsuccessful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change    </pre>
-
-Load new Audit rules into kernel by running:
-<pre>augenrules --load</pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - unlinkat</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
       <td>AU-2(a)</td>
-      <td>Configure auditing of successful file creations</td>
+      <td>Configure auditing of unsuccessful file modifications</td>
       <td xml:lang="en-US">
-        Ensure that successful attempts to create a file are audited.
+        Ensure that unsuccessful attempts to modify a file are audited.
 
 The following rules configure audit as described above:
-<pre>## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create    </pre>
+<pre>## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification    </pre>
 
 Load new Audit rules into kernel by running:
 <pre>augenrules --load</pre>
@@ -182,83 +92,30 @@
 Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
       </td>
       <td xml:lang="en-US">
-        Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.
+        Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
       </td>
     </tr>
     <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record attempts to alter time through adjtimex</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-      </td>
-      <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
/usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,30 +45,6 @@
   <tbody>
   <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall telnet-server Package</td>
-      <td xml:lang="en-US">
-        The <code>telnet-server</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase telnet-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-<br />
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-<br />
-Removing the <tt>telnet-server</tt> package decreases the risk of the
-telnet service's accidental (or intentional) activation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
       <td>Uninstall ypserv Package</td>
       <td xml:lang="en-US">
         The <code>ypserv</code> package can be removed with the following command:
@@ -86,6 +62,27 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
+      <td>Ensure SMEP is not disabled during boot</td>
+      <td xml:lang="en-US">
+        The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the <tt>nosmep</tt> boot paramenter option.
+
+Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+doesn't contain the argument <tt>nosmep</tt>.
+Run the following command to update command line for already installed kernels:
+<pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+      </td>
+      <td xml:lang="en-US">
+        Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
+      </td>
+    </tr>
+    <tr>
+      <td>BP28(R1)</td>
       <td>Ensure SMAP is not disabled during boot</td>
       <td xml:lang="en-US">
         The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -106,56 +103,6 @@
       </td>
     </tr>
     <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall DHCP Server Package</td>
-      <td xml:lang="en-US">
-        If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The <code>dhcp</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase dhcp</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall tftp-server Package</td>
-      <td xml:lang="en-US">
-        The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-<br /><br />
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Install the dracut-fips-aesni Package</td>
-      <td xml:lang="en-US">
-        To enable FIPS on system that support the Advanced Encryption Standard (AES) or New
-Instructions (AES-NI) engine, the system requires that the <tt>dracut-fips-aesni</tt>
-package be installed.
-The <code>dracut-fips-aesni</code> package can be installed with the following command:
-<pre>
-$ sudo yum install dracut-fips-aesni</pre>
-      </td>
-      <td xml:lang="en-US">
-        Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.
-      </td>
-    </tr>
-    <tr>
       <td>BP28(R1)<br/>NT007(R03)</td>
       <td>Uninstall the telnet server</td>
       <td xml:lang="en-US">
@@ -169,35 +116,26 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove tftp Daemon</td>
-      <td xml:lang="en-US">
-        Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
-      </td>
-      <td xml:lang="en-US">
-        It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall talk Package</td>
+      <td>Uninstall telnet-server Package</td>
       <td xml:lang="en-US">
-        The <tt>talk</tt> package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The <code>talk</code> package can be removed with the following command:
+        The <code>telnet-server</code> package can be removed with the following command:
 <pre>
-$ sudo yum erase talk</pre>
+$ sudo yum erase telnet-server</pre>
       </td>
       <td xml:lang="en-US">
-        The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the <tt>talk</tt> package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+        It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+<br />
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+<br />
+Removing the <tt>telnet-server</tt> package decreases the risk of the
+telnet service's accidental (or intentional) activation.
       </td>
     </tr>
     <tr>
@@ -222,29 +160,49 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall xinetd Package</td>
+      <td>Install the dracut-fips-aesni Package</td>
       <td xml:lang="en-US">
-        The <code>xinetd</code> package can be removed with the following command:
+        To enable FIPS on system that support the Advanced Encryption Standard (AES) or New
+Instructions (AES-NI) engine, the system requires that the <tt>dracut-fips-aesni</tt>
+package be installed.
+The <code>dracut-fips-aesni</code> package can be installed with the following command:
 <pre>
-$ sudo yum erase xinetd</pre>
+$ sudo yum install dracut-fips-aesni</pre>
       </td>
       <td xml:lang="en-US">
-        Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+        Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
+protect data. The operating system must implement cryptographic modules adhering to the higher
+standards approved by the federal government since this provides assurance they have been tested
+and validated.
       </td>
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove telnet Clients</td>
+      <td>Uninstall DHCP Server Package</td>
       <td xml:lang="en-US">
/usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cisrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,26 +70,6 @@
     </tr>
     <tr>
       <td>1.1.1.2</td>
-      <td>Disable Mounting of freevxfs</td>
-      <td xml:lang="en-US">
-        
-To configure the system to prevent the <code>freevxfs</code>
-kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/freevxfs.conf</code>:
-<pre>install freevxfs /bin/true</pre>
-
-To configure the system to prevent the <code>freevxfs</code> from being used,
-add the following line to file <code>/etc/modprobe.d/freevxfs.conf</code>:
-<pre>blacklist freevxfs</pre>
-
-This effectively prevents usage of this uncommon filesystem.
-      </td>
-      <td xml:lang="en-US">
-        Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.
-      </td>
-    </tr>
-    <tr>
-      <td>1.1.1.2</td>
       <td>Disable Mounting of squashfs</td>
       <td xml:lang="en-US">
         
@@ -114,6 +94,26 @@
       </td>
     </tr>
     <tr>
+      <td>1.1.1.2</td>
+      <td>Disable Mounting of freevxfs</td>
+      <td xml:lang="en-US">
+        
+To configure the system to prevent the <code>freevxfs</code>
+kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/freevxfs.conf</code>:
+<pre>install freevxfs /bin/true</pre>
+
+To configure the system to prevent the <code>freevxfs</code> from being used,
+add the following line to file <code>/etc/modprobe.d/freevxfs.conf</code>:
+<pre>blacklist freevxfs</pre>
+
+This effectively prevents usage of this uncommon filesystem.
+      </td>
+      <td xml:lang="en-US">
+        Linux kernel modules which implement filesystems that are not needed by the
+local system should be disabled.
+      </td>
+    </tr>
+    <tr>
       <td>1.1.1.3</td>
       <td>Disable Mounting of jffs2</td>
       <td xml:lang="en-US">
@@ -644,23 +644,6 @@
     </tr>
     <tr>
       <td>1.2.3</td>
-      <td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
-      <td xml:lang="en-US">
-        To ensure signature checking is not disabled for
-any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form:
-<pre>gpgcheck=0</pre>
-      </td>
-      <td xml:lang="en-US">
-        Verifying the authenticity of the software prior to installation validates
-the integrity of the patch or upgrade received from a vendor. This ensures
-the software has not been tampered with and that it has been provided by a
-trusted vendor. Self-signed certificates are disallowed by this
-requirement. Certificates used to verify the software must be from an
-approved Certificate Authority (CA)."
-      </td>
-    </tr>
-    <tr>
-      <td>1.2.3</td>
       <td>Ensure gpgcheck Enabled In Main yum Configuration</td>
       <td xml:lang="en-US">
         The <tt>gpgcheck</tt> option controls whether
@@ -688,6 +671,23 @@
       </td>
     </tr>
     <tr>
+      <td>1.2.3</td>
+      <td>Ensure gpgcheck Enabled for All yum Package Repositories</td>
+      <td xml:lang="en-US">
+        To ensure signature checking is not disabled for
+any repos, remove any lines from files in <tt>/etc/yum.repos.d</tt> of the form:
+<pre>gpgcheck=0</pre>
+      </td>
+      <td xml:lang="en-US">
+        Verifying the authenticity of the software prior to installation validates
+the integrity of the patch or upgrade received from a vendor. This ensures
+the software has not been tampered with and that it has been provided by a
+trusted vendor. Self-signed certificates are disallowed by this
+requirement. Certificates used to verify the software must be from an
+approved Certificate Authority (CA)."
+      </td>
+    </tr>
+    <tr>
       <td>1.2.5</td>
       <td>Disable Red Hat Network Service (rhnsd)</td>
       <td xml:lang="en-US">
@@ -708,18 +708,6 @@
     </tr>
     <tr>
       <td>1.3.1</td>
-      <td>Install AIDE</td>
-      <td xml:lang="en-US">
-        The <code>aide</code> package can be installed with the following command:
-<pre>
-$ sudo yum install aide</pre>
-      </td>
-      <td xml:lang="en-US">
-        The AIDE package must be installed if it is to be available for integrity checking.
-      </td>
-    </tr>
-    <tr>
-      <td>1.3.1</td>
       <td>Build and Test AIDE Database</td>
       <td xml:lang="en-US">
         Run the following command to generate a new database:
@@ -747,6 +735,18 @@
       </td>
     </tr>
     <tr>
+      <td>1.3.1</td>
+      <td>Install AIDE</td>
+      <td xml:lang="en-US">
+        The <code>aide</code> package can be installed with the following command:
+<pre>
+$ sudo yum install aide</pre>
+      </td>
+      <td xml:lang="en-US">
+        The AIDE package must be installed if it is to be available for integrity checking.
+      </td>
+    </tr>
+    <tr>
       <td>1.3.2</td>
       <td>Configure Periodic Execution of AIDE</td>
       <td xml:lang="en-US">
@@ -777,7 +777,7 @@
     </tr>
     <tr>
       <td>1.4.1</td>
-      <td>Set Boot Loader Password in grub2</td>
+      <td>Set the UEFI Boot Loader Password</td>
       <td xml:lang="en-US">
         The grub2 boot loader should have a superuser account and password
 protection enabled to protect boot-time settings.
@@ -799,7 +799,7 @@
     </tr>
     <tr>
       <td>1.4.1</td>
-      <td>Set the UEFI Boot Loader Password</td>
+      <td>Set Boot Loader Password in grub2</td>
       <td xml:lang="en-US">
         The grub2 boot loader should have a superuser account and password
 protection enabled to protect boot-time settings.
@@ -821,27 +821,45 @@
     </tr>
     <tr>
       <td>1.4.2</td>
-      <td>Verify /boot/grub2/user.cfg Permissions</td>
+      <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
       <td xml:lang="en-US">
-        File permissions for <tt>/boot/grub2/user.cfg</tt> should be set to 600.
+        The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
 
-To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command:
-<pre>$ sudo chmod 600 /boot/grub2/user.cfg</pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
       </td>
       <td xml:lang="en-US">
-        Proper permissions ensure that only the root user can read or modify important boot
-parameters.
+        The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
       </td>
     </tr>
     <tr>
       <td>1.4.2</td>
-      <td>Verify /boot/efi/EFI/redhat/user.cfg Group Ownership</td>
+      <td>Verify /boot/efi/EFI/redhat/user.cfg User Ownership</td>
       <td xml:lang="en-US">
-        The file <tt>/boot/efi/EFI/redhat/user.cfg</tt> should be group-owned by the
-<tt>root</tt> group to prevent reading or modification of the file.
+        The file <tt>/boot/efi/EFI/redhat/user.cfg</tt> should be owned by the <tt>root</tt>
+user to prevent reading or modification of the file.
 
-To properly set the group owner of <code>/boot/efi/EFI/redhat/user.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg</pre>
+To properly set the owner of <code>/boot/efi/EFI/redhat/user.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/user.cfg </pre>
+      </td>
+      <td xml:lang="en-US">
/usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,57 +44,6 @@
   </thead>
   <tbody>
   <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Emergency Systemd Target</td>
-      <td xml:lang="en-US">
-        Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Single User Mode</td>
-      <td xml:lang="en-US">
-        Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1</td>
-      <td>Disable GDM Automatic Login</td>
-      <td xml:lang="en-US">
-        The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
-      </td>
-      <td xml:lang="en-US">
-        Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-      </td>
-    </tr>
-    <tr>
       <td>3.1.1<br/>3.1.6</td>
       <td>Direct root Logins Not Allowed</td>
       <td xml:lang="en-US">
@@ -139,6 +88,55 @@
     </tr>
     <tr>
       <td>3.1.1<br/>3.1.5</td>
+      <td>Restrict Serial Port Root Logins</td>
+      <td xml:lang="en-US">
+        To restrict root logins on serial ports,
+ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
+<pre>ttyS0
+ttyS1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Single User Mode</td>
+      <td xml:lang="en-US">
+        Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+<br /><br />
+By default, single-user mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/rescue.service</tt>.
+      </td>
+      <td xml:lang="en-US">
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1</td>
+      <td>Disable GDM Automatic Login</td>
+      <td xml:lang="en-US">
+        The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
+      </td>
+      <td xml:lang="en-US">
+        Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.1.5</td>
       <td>Disable SSH Access via Empty Passwords</td>
       <td xml:lang="en-US">
         Disallow SSH login with empty passwords.
@@ -163,18 +161,20 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.1<br/>3.1.5</td>
-      <td>Restrict Serial Port Root Logins</td>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Emergency Systemd Target</td>
       <td xml:lang="en-US">
-        To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
+        Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
       </td>
       <td xml:lang="en-US">
-        Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
       </td>
     </tr>
     <tr>
@@ -258,10 +258,9 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
+      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by an argument in
-<tt>/etc/default/grub</tt>.
+        SELinux can be disabled at boot time by disabling it via a kernel argument.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -273,9 +272,10 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
+      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by disabling it via a kernel argument.
+        SELinux can be disabled at boot time by an argument in
+<tt>/etc/default/grub</tt>.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -286,21 +286,27 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.2<br/>3.1.5<br/>3.7.2</td>
-      <td>Ensure No Daemons are Unconfined by SELinux</td>
+      <td>3.1.2<br/>3.4.5</td>
+      <td>Verify that Interactive Boot is Disabled</td>
       <td xml:lang="en-US">
-        Daemons for which the SELinux policy does not contain rules will inherit the
-context of the parent process. Because daemons are launched during
-startup and descend from the <tt>init</tt> process, they inherit the <tt>unconfined_service_t</tt> context.
-<br />
-<br />
-To check for unconfined daemons, run the following command:
-<pre>$ sudo ps -eZ | grep "unconfined_service_t"</pre>
-It should produce no output in a well-configured system.
+        Red Hat Enterprise Linux 7 systems support an "interactive boot" option that can
+be used to prevent services from being started. On a Red Hat Enterprise Linux 7
+system, interactive boot can be enabled by providing a <tt>1</tt>,
+<tt>yes</tt>, <tt>true</tt>, or <tt>on</tt> value to the
+<tt>systemd.confirm_spawn</tt> kernel argument in <tt>/etc/default/grub</tt>.
+Remove any instance of <pre>systemd.confirm_spawn=(1|yes|true|on)</pre> from
+the kernel arguments in that file to disable interactive boot.
+Recovery booting must also be disabled. Confirm that
+<tt>GRUB_DISABLE_RECOVERY=true</tt> is set in  <tt>/etc/default/grub</tt>.
+It is also required to change the runtime configuration, run:
+
/usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,161 +44,48 @@
   </thead>
   <tbody>
   <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
-      <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Permission Changes to Files - fremovexattr</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - unlinkat</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record attempts to alter time through adjtimex</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-      </td>
-      <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Events that Modify the System's Discretionary Access Controls - fchmodat</td>
-      <td xml:lang="en-US">
-        At a minimum, the audit system should collect file permission
-changes for all users and root. If the <tt>auditd</tt> daemon is configured to
-use the <tt>augenrules</tt> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <tt>.rules</tt> in
-the directory <tt>/etc/audit/rules.d</tt>:
-<pre>-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
+directory <tt>/etc/audit/rules.d</tt>:
+<pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
 If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
 utility to read audit rules during daemon startup, add the following line to
 <tt>/etc/audit/audit.rules</tt> file:
-<pre>-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
+<pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</pre>
 If the system is 64 bit then also add the following line:
-<pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</pre>
-      </td>
-      <td xml:lang="en-US">
-        The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
-      <td>Record Attempts to Alter Time Through stime</td>
-      <td xml:lang="en-US">
-        If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt> for both 32 bit and 64 bit systems:
-<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
-Since the 64 bit version of the "stime" system call is not defined in the audit
-lookup table, the corresponding "-F arch=b64" form of this rule is not expected
-to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
-form itself is sufficient for both 32 bit and 64 bit systems). If the
-<tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt> utility to
-read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file for both 32 bit and 64 bit systems:
-<pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</pre>
-Since the 64 bit version of the "stime" system call is not defined in the audit
-lookup table, the corresponding "-F arch=b64" form of this rule is not expected
-to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
-form itself is sufficient for both 32 bit and 64 bit systems). The -k option
-allows for the specification of a key in string form that can be used for
-better reporting capability through ausearch and aureport. Multiple system
-calls can be defined on the same line to save space if desired, but is not
-required. See an example of multiple combined system calls:
+<pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</pre>
+The -k option allows for the specification of a key in string form that can be
+used for better reporting capability through ausearch and aureport. Multiple
+system calls can be defined on the same line to save space if desired, but is
+not required. See an example of multiple combined syscalls:
 <pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</pre>
       </td>
       <td xml:lang="en-US">
@@ -210,130 +97,82 @@
     </tr>
     <tr>
       <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Ownership Changes to Files - chown</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
/usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-ospprefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,6 +45,20 @@
   <tbody>
   <tr>
       <td>AGD_PRE.1<br/>AGD_OPE.1</td>
+      <td>Install openscap-scanner Package</td>
+      <td xml:lang="en-US">
+        The <code>openscap-scanner</code> package can be installed with the following command:
+<pre>
+$ sudo yum install openscap-scanner</pre>
+      </td>
+      <td xml:lang="en-US">
+        <tt>openscap-scanner</tt> contains the <tt>oscap</tt> command line tool. This tool is a
+configuration and vulnerability scanner, capable of performing compliance checking using
+SCAP content.
+      </td>
+    </tr>
+    <tr>
+      <td>AGD_PRE.1<br/>AGD_OPE.1</td>
       <td>Install scap-security-guide Package</td>
       <td xml:lang="en-US">
         The <code>scap-security-guide</code> package can be installed with the following command:
@@ -64,17 +78,24 @@
       </td>
     </tr>
     <tr>
-      <td>AGD_PRE.1<br/>AGD_OPE.1</td>
-      <td>Install openscap-scanner Package</td>
+      <td>FAU_GEN.1</td>
+      <td>Enable Auditing for Processes Which Start Prior to the Audit Daemon</td>
       <td xml:lang="en-US">
-        The <code>openscap-scanner</code> package can be installed with the following command:
-<pre>
-$ sudo yum install openscap-scanner</pre>
+        To ensure all processes can be audited, even those which start
+prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
+GRUB 2 command line for the Linux operating system.
+To ensure that <tt>audit=1</tt> is added as a kernel command line
+argument to newly installed kernels, add <tt>audit=1</tt> to the
+default Grub2 command line for Linux operating systems. Modify the line within
+<tt>/etc/default/grub</tt> as shown below:
+<pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
+Run the following command to update command line for already installed kernels:<pre># grubby --update-kernel=ALL --args="audit=1"</pre>
       </td>
       <td xml:lang="en-US">
-        <tt>openscap-scanner</tt> contains the <tt>oscap</tt> command line tool. This tool is a
-configuration and vulnerability scanner, capable of performing compliance checking using
-SCAP content.
+        Each process on the system carries an "auditable" flag which indicates whether
+its activities can be audited. Although <tt>auditd</tt> takes care of enabling
+this for all processes which launch after it does, adding the kernel argument
+ensures it is set for every process during boot.
       </td>
     </tr>
     <tr>
@@ -93,36 +114,12 @@
     </tr>
     <tr>
       <td>FAU_GEN.1</td>
-      <td>Include Local Events in Audit Logs</td>
-      <td xml:lang="en-US">
-        To configure Audit daemon to include local events in Audit logs, set
-<tt>local_events</tt> to <tt>yes</tt> in <tt>/etc/audit/auditd.conf</tt>.
-This is the default setting.
-      </td>
-      <td xml:lang="en-US">
-        If option <tt>local_events</tt> isn't set to <tt>yes</tt> only events from
-network will be aggregated.
-      </td>
-    </tr>
-    <tr>
-      <td>FAU_GEN.1</td>
-      <td>Enable Auditing for Processes Which Start Prior to the Audit Daemon</td>
+      <td>Ensure the audit Subsystem is Installed</td>
       <td xml:lang="en-US">
-        To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument <tt>audit=1</tt> to the default
-GRUB 2 command line for the Linux operating system.
-To ensure that <tt>audit=1</tt> is added as a kernel command line
-argument to newly installed kernels, add <tt>audit=1</tt> to the
-default Grub2 command line for Linux operating systems. Modify the line within
-<tt>/etc/default/grub</tt> as shown below:
-<pre>GRUB_CMDLINE_LINUX="... audit=1 ..."</pre>
-Run the following command to update command line for already installed kernels:<pre># grubby --update-kernel=ALL --args="audit=1"</pre>
+        The audit package should be installed.
       </td>
       <td xml:lang="en-US">
-        Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although <tt>auditd</tt> takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.
+        The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
       </td>
     </tr>
     <tr>
@@ -149,12 +146,15 @@
     </tr>
     <tr>
       <td>FAU_GEN.1</td>
-      <td>Ensure the audit Subsystem is Installed</td>
+      <td>Include Local Events in Audit Logs</td>
       <td xml:lang="en-US">
-        The audit package should be installed.
+        To configure Audit daemon to include local events in Audit logs, set
+<tt>local_events</tt> to <tt>yes</tt> in <tt>/etc/audit/auditd.conf</tt>.
+This is the default setting.
       </td>
       <td xml:lang="en-US">
-        The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.
+        If option <tt>local_events</tt> isn't set to <tt>yes</tt> only events from
+network will be aggregated.
       </td>
     </tr>
     <tr>
@@ -180,142 +180,149 @@
     </tr>
     <tr>
       <td>FAU_GEN.1.1.c</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
       <td>FAU_GEN.1.1.c</td>
-      <td>Ensure auditd Collects System Administrator Actions</td>
+      <td>Record Attempts to Alter Process and Session Initiation Information</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect administrator actions
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
-<tt>augenrules</tt> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>:
-<pre>-w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions</pre>
+        The audit system already collects process information for all
+users and root. If the <tt>auditd</tt> daemon is configured to use the
+<tt>augenrules</tt> program to read audit rules during daemon startup (the
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing such process information:
+<pre>-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file:
-<pre>-w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for attempted manual
+edits of files involved in storing such process information:
+<pre>-w /var/run/utmp -p wa -k session
+-w /var/log/btmp -p wa -k session
+-w /var/log/wtmp -p wa -k session</pre>
       </td>
       <td xml:lang="en-US">
/usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel7-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,7 +45,7 @@
   <tbody>
   <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for IPv6 loopback traffic</td>
+      <td>Set configuration for loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -54,14 +54,14 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen, all
+other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
     <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for loopback traffic</td>
+      <td>Set configuration for IPv6 loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -70,8 +70,8 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen, all
-other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
@@ -149,20 +149,6 @@
     </tr>
     <tr>
       <td>Req-1.4.1</td>
-      <td>Install iptables Package</td>
-      <td xml:lang="en-US">
-        The <code>iptables</code> package can be installed with the following command:
-<pre>
-$ sudo yum install iptables</pre>
-      </td>
-      <td xml:lang="en-US">
-        <tt>iptables</tt> controls the Linux kernel network packet filtering
-code. <tt>iptables</tt> allows system operators to set up firewalls and IP
-masquerading, etc.
-      </td>
-    </tr>
-    <tr>
-      <td>Req-1.4.1</td>
       <td>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</td>
       <td xml:lang="en-US">
         To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre>
@@ -178,6 +164,20 @@
       </td>
     </tr>
     <tr>
+      <td>Req-1.4.1</td>
+      <td>Install iptables Package</td>
+      <td xml:lang="en-US">
+        The <code>iptables</code> package can be installed with the following command:
+<pre>
+$ sudo yum install iptables</pre>
+      </td>
+      <td xml:lang="en-US">
+        <tt>iptables</tt> controls the Linux kernel network packet filtering
+code. <tt>iptables</tt> allows system operators to set up firewalls and IP
+masquerading, etc.
+      </td>
+    </tr>
+    <tr>
       <td>Req-1.4.2</td>
       <td>Disable SCTP Support</td>
       <td xml:lang="en-US">
@@ -222,17 +222,35 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
+      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
+        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
       </td>
       <td xml:lang="en-US">
-        Responding to broadcast (ICMP) echoes facilitates network mapping
-and provides a vector for amplification attacks.
-<br />
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast
-addresses makes the system slightly more difficult to enumerate on the network.
+        Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+      </td>
+    </tr>
+    <tr>
+      <td>Req-1.4.3</td>
+      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td xml:lang="en-US">
+        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
       </td>
     </tr>
     <tr>
@@ -250,17 +268,14 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+        Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
       </td>
     </tr>
     <tr>
@@ -281,32 +296,17 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
-      <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
-      </td>
-      <td xml:lang="en-US">
-        Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
-      </td>
-    </tr>
-    <tr>
-      <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
+      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+        Responding to broadcast (ICMP) echoes facilitates network mapping
+and provides a vector for amplification attacks.
+<br />
+Ignoring ICMP echo requests (pings) sent to broadcast or multicast
+addresses makes the system slightly more difficult to enumerate on the network.
       </td>
     </tr>
     <tr>
@@ -327,6 +327,23 @@
     </tr>
     <tr>
       <td>Req-2.2.2</td>
+      <td>Uninstall ypserv Package</td>
+      <td xml:lang="en-US">
+        The <code>ypserv</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase ypserv</pre>
+      </td>
/usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html differs (HTML document, UTF-8 Unicode text)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-anssirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,30 +45,6 @@
   <tbody>
   <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall telnet-server Package</td>
-      <td xml:lang="en-US">
-        The <code>telnet-server</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase telnet-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        It is detrimental for operating systems to provide, or install by default,
-functionality exceeding requirements or mission objectives. These
-unnecessary capabilities are often overlooked and therefore may remain
-unsecure. They increase the risk to the platform by providing additional
-attack vectors.
-<br />
-The telnet service provides an unencrypted remote access service which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using this service, the
-privileged user password could be compromised.
-<br />
-Removing the <tt>telnet-server</tt> package decreases the risk of the
-telnet service's accidental (or intentional) activation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
       <td>Uninstall ypserv Package</td>
       <td xml:lang="en-US">
         The <code>ypserv</code> package can be removed with the following command:
@@ -86,6 +62,27 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
+      <td>Ensure SMEP is not disabled during boot</td>
+      <td xml:lang="en-US">
+        The SMEP is used to prevent the supervisor mode from executing user space code,
+it is enabled by default since Linux kernel 3.0. But it could be disabled through
+kernel boot parameters.
+
+Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
+the <tt>nosmep</tt> boot paramenter option.
+
+Check that the line <pre>GRUB_CMDLINE_LINUX="..."</pre> within <tt>/etc/default/grub</tt>
+doesn't contain the argument <tt>nosmep</tt>.
+Run the following command to update command line for already installed kernels:
+<pre># grubby --update-kernel=ALL --remove-args="nosmep"</pre>
+      </td>
+      <td xml:lang="en-US">
+        Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
+the kernel to unintentionally execute code in less privileged memory space.
+      </td>
+    </tr>
+    <tr>
+      <td>BP28(R1)</td>
       <td>Ensure SMAP is not disabled during boot</td>
       <td xml:lang="en-US">
         The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
@@ -106,38 +103,6 @@
       </td>
     </tr>
     <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall DHCP Server Package</td>
-      <td xml:lang="en-US">
-        If the system does not need to act as a DHCP server,
-the dhcp package can be uninstalled.
-
-The <code>dhcp-server</code> package can be removed with the following command:
-<pre>
-$ sudo yum erase dhcp-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the DHCP server ensures that it cannot be easily or
-accidentally reactivated and disrupt network operation.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall tftp-server Package</td>
-      <td xml:lang="en-US">
-        The <code>tftp-server</code> package can be removed with the following command: <pre> $ sudo yum erase tftp-server</pre>
-      </td>
-      <td xml:lang="en-US">
-        Removing the <tt>tftp-server</tt> package decreases the risk of the accidental
-(or intentional) activation of tftp services.
-<br /><br />
-If TFTP is required for operational support (such as transmission of router
-configurations), its use must be documented with the Information Systems
-Securty Manager (ISSM), restricted to only authorized personnel, and have
-access control rules established.
-      </td>
-    </tr>
-    <tr>
       <td>BP28(R1)<br/>NT007(R03)</td>
       <td>Uninstall the telnet server</td>
       <td xml:lang="en-US">
@@ -151,35 +116,26 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove tftp Daemon</td>
-      <td xml:lang="en-US">
-        Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol,
-typically used to automatically transfer configuration or boot files between systems.
-TFTP does not support authentication and can be easily hacked. The package
-<tt>tftp</tt> is a client program that allows for connections to a <tt>tftp</tt> server.
-      </td>
-      <td xml:lang="en-US">
-        It is recommended that TFTP be removed, unless there is a specific need
-for TFTP (such as a boot server). In that case, use extreme caution when configuring
-the services.
-      </td>
-    </tr>
-    <tr>
-      <td>BP28(R1)</td>
-      <td>Uninstall talk Package</td>
+      <td>Uninstall telnet-server Package</td>
       <td xml:lang="en-US">
-        The <tt>talk</tt> package contains the client program for the
-Internet talk protocol, which allows the user to chat with other users on
-different systems. Talk is a communication program which copies lines from one
-terminal to the terminal of another user.
-The <code>talk</code> package can be removed with the following command:
+        The <code>telnet-server</code> package can be removed with the following command:
 <pre>
-$ sudo yum erase talk</pre>
+$ sudo yum erase telnet-server</pre>
       </td>
       <td xml:lang="en-US">
-        The talk software presents a security risk as it uses unencrypted protocols
-for communications. Removing the <tt>talk</tt> package decreases the
-risk of the accidental (or intentional) activation of talk client program.
+        It is detrimental for operating systems to provide, or install by default,
+functionality exceeding requirements or mission objectives. These
+unnecessary capabilities are often overlooked and therefore may remain
+unsecure. They increase the risk to the platform by providing additional
+attack vectors.
+<br />
+The telnet service provides an unencrypted remote access service which does
+not provide for the confidentiality and integrity of user passwords or the
+remote session. If a privileged user were to login using this service, the
+privileged user password could be compromised.
+<br />
+Removing the <tt>telnet-server</tt> package decreases the risk of the
+telnet service's accidental (or intentional) activation.
       </td>
     </tr>
     <tr>
@@ -204,29 +160,31 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Uninstall xinetd Package</td>
+      <td>Uninstall DHCP Server Package</td>
       <td xml:lang="en-US">
-        The <code>xinetd</code> package can be removed with the following command:
+        If the system does not need to act as a DHCP server,
+the dhcp package can be uninstalled.
+
+The <code>dhcp-server</code> package can be removed with the following command:
 <pre>
-$ sudo yum erase xinetd</pre>
+$ sudo yum erase dhcp-server</pre>
       </td>
       <td xml:lang="en-US">
-        Removing the <tt>xinetd</tt> package decreases the risk of the
-xinetd service's accidental (or intentional) activation.
+        Removing the DHCP server ensures that it cannot be easily or
+accidentally reactivated and disrupt network operation.
       </td>
     </tr>
     <tr>
       <td>BP28(R1)</td>
-      <td>Remove telnet Clients</td>
+      <td>Uninstall xinetd Package</td>
       <td xml:lang="en-US">
-        The telnet client allows users to start connections to other systems via
-the telnet protocol.
+        The <code>xinetd</code> package can be removed with the following command:
+<pre>
+$ sudo yum erase xinetd</pre>
       </td>
       <td xml:lang="en-US">
-        The <tt>telnet</tt> protocol is insecure and unencrypted. The use
-of an unencrypted transmission medium could allow an unauthorized user
-to steal credentials. The <tt>ssh</tt> package provides an
-encrypted session and stronger security and is included in Red Hat Enterprise Linux 8.
+        Removing the <tt>xinetd</tt> package decreases the risk of the
+xinetd service's accidental (or intentional) activation.
       </td>
     </tr>
     <tr>
@@ -248,6 +206,34 @@
     </tr>
     <tr>
       <td>BP28(R1)</td>
/usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cisrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -70,51 +70,51 @@
     </tr>
     <tr>
       <td>1.1.1.2</td>
-      <td>Disable Mounting of vFAT filesystems</td>
+      <td>Disable Mounting of squashfs</td>
       <td xml:lang="en-US">
         
-To configure the system to prevent the <code>vfat</code>
-kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/vfat.conf</code>:
-<pre>install vfat /bin/true</pre>
+To configure the system to prevent the <code>squashfs</code>
+kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/squashfs.conf</code>:
+<pre>install squashfs /bin/true</pre>
 
-To configure the system to prevent the <code>vfat</code> from being used,
-add the following line to file <code>/etc/modprobe.d/vfat.conf</code>:
-<pre>blacklist vfat</pre>
+To configure the system to prevent the <code>squashfs</code> from being used,
+add the following line to file <code>/etc/modprobe.d/squashfs.conf</code>:
+<pre>blacklist squashfs</pre>
 
 This effectively prevents usage of this uncommon filesystem.
 
-The <tt>vFAT</tt> filesystem format is primarily used on older
-windows systems and portable USB drives or flash modules. It comes
-in three types <tt>FAT12</tt>, <tt>FAT16</tt>, and <tt>FAT32</tt>
-all of which are supported by the <tt>vfat</tt> kernel module.
+The <tt>squashfs</tt> filesystem type is a compressed read-only Linux
+filesystem embedded in small footprint systems (similar to
+<tt>cramfs</tt>). A <tt>squashfs</tt> image can be used without having
+to first decompress the image.
       </td>
       <td xml:lang="en-US">
-        Removing support for unneeded filesystems reduces the local attack
+        Removing support for unneeded filesystem types reduces the local attack
 surface of the system.
       </td>
     </tr>
     <tr>
       <td>1.1.1.2</td>
-      <td>Disable Mounting of squashfs</td>
+      <td>Disable Mounting of vFAT filesystems</td>
       <td xml:lang="en-US">
         
-To configure the system to prevent the <code>squashfs</code>
-kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/squashfs.conf</code>:
-<pre>install squashfs /bin/true</pre>
+To configure the system to prevent the <code>vfat</code>
+kernel module from being loaded, add the following line to the file <code>/etc/modprobe.d/vfat.conf</code>:
+<pre>install vfat /bin/true</pre>
 
-To configure the system to prevent the <code>squashfs</code> from being used,
-add the following line to file <code>/etc/modprobe.d/squashfs.conf</code>:
-<pre>blacklist squashfs</pre>
+To configure the system to prevent the <code>vfat</code> from being used,
+add the following line to file <code>/etc/modprobe.d/vfat.conf</code>:
+<pre>blacklist vfat</pre>
 
 This effectively prevents usage of this uncommon filesystem.
 
-The <tt>squashfs</tt> filesystem type is a compressed read-only Linux
-filesystem embedded in small footprint systems (similar to
-<tt>cramfs</tt>). A <tt>squashfs</tt> image can be used without having
-to first decompress the image.
+The <tt>vFAT</tt> filesystem format is primarily used on older
+windows systems and portable USB drives or flash modules. It comes
+in three types <tt>FAT12</tt>, <tt>FAT16</tt>, and <tt>FAT32</tt>
+all of which are supported by the <tt>vfat</tt> kernel module.
       </td>
       <td xml:lang="en-US">
-        Removing support for unneeded filesystem types reduces the local attack
+        Removing support for unneeded filesystems reduces the local attack
 surface of the system.
       </td>
     </tr>
@@ -800,18 +800,6 @@
     </tr>
     <tr>
       <td>1.3.1</td>
-      <td>Install AIDE</td>
-      <td xml:lang="en-US">
-        The <code>aide</code> package can be installed with the following command:
-<pre>
-$ sudo yum install aide</pre>
-      </td>
-      <td xml:lang="en-US">
-        The AIDE package must be installed if it is to be available for integrity checking.
-      </td>
-    </tr>
-    <tr>
-      <td>1.3.1</td>
       <td>Build and Test AIDE Database</td>
       <td xml:lang="en-US">
         Run the following command to generate a new database:
@@ -839,6 +827,18 @@
       </td>
     </tr>
     <tr>
+      <td>1.3.1</td>
+      <td>Install AIDE</td>
+      <td xml:lang="en-US">
+        The <code>aide</code> package can be installed with the following command:
+<pre>
+$ sudo yum install aide</pre>
+      </td>
+      <td xml:lang="en-US">
+        The AIDE package must be installed if it is to be available for integrity checking.
+      </td>
+    </tr>
+    <tr>
       <td>1.3.2</td>
       <td>Configure Periodic Execution of AIDE</td>
       <td xml:lang="en-US">
@@ -869,7 +869,7 @@
     </tr>
     <tr>
       <td>1.4.1</td>
-      <td>Set Boot Loader Password in grub2</td>
+      <td>Set the UEFI Boot Loader Password</td>
       <td xml:lang="en-US">
         The grub2 boot loader should have a superuser account and password
 protection enabled to protect boot-time settings.
@@ -891,7 +891,7 @@
     </tr>
     <tr>
       <td>1.4.1</td>
-      <td>Set the UEFI Boot Loader Password</td>
+      <td>Set Boot Loader Password in grub2</td>
       <td xml:lang="en-US">
         The grub2 boot loader should have a superuser account and password
 protection enabled to protect boot-time settings.
@@ -913,27 +913,45 @@
     </tr>
     <tr>
       <td>1.4.2</td>
-      <td>Verify /boot/grub2/user.cfg Permissions</td>
+      <td>Verify /boot/grub2/grub.cfg Group Ownership</td>
       <td xml:lang="en-US">
-        File permissions for <tt>/boot/grub2/user.cfg</tt> should be set to 600.
+        The file <tt>/boot/grub2/grub.cfg</tt> should
+be group-owned by the <tt>root</tt> group to prevent
+destruction or modification of the file.
 
-To properly set the permissions of <code>/boot/grub2/user.cfg</code>, run the command:
-<pre>$ sudo chmod 600 /boot/grub2/user.cfg</pre>
+To properly set the group owner of <code>/boot/grub2/grub.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/grub.cfg</pre>
       </td>
       <td xml:lang="en-US">
-        Proper permissions ensure that only the root user can read or modify important boot
-parameters.
+        The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+file should not have any access privileges anyway.
       </td>
     </tr>
     <tr>
       <td>1.4.2</td>
-      <td>Verify /boot/efi/EFI/redhat/user.cfg Group Ownership</td>
+      <td>Verify /boot/efi/EFI/redhat/user.cfg User Ownership</td>
       <td xml:lang="en-US">
-        The file <tt>/boot/efi/EFI/redhat/user.cfg</tt> should be group-owned by the
-<tt>root</tt> group to prevent reading or modification of the file.
+        The file <tt>/boot/efi/EFI/redhat/user.cfg</tt> should be owned by the <tt>root</tt>
+user to prevent reading or modification of the file.
 
-To properly set the group owner of <code>/boot/efi/EFI/redhat/user.cfg</code>, run the command:
-<pre>$ sudo chgrp root /boot/efi/EFI/redhat/user.cfg</pre>
+To properly set the owner of <code>/boot/efi/EFI/redhat/user.cfg</code>, run the command:
+<pre>$ sudo chown root /boot/efi/EFI/redhat/user.cfg </pre>
+      </td>
+      <td xml:lang="en-US">
+        Only root should be able to modify important boot parameters. Also, non-root users who read
+the boot parameters may be able to identify weaknesses in security upon boot and be able to
+exploit them.
+      </td>
+    </tr>
+    <tr>
+      <td>1.4.2</td>
+      <td>Verify /boot/grub2/user.cfg Group Ownership</td>
+      <td xml:lang="en-US">
+        The file <tt>/boot/grub2/user.cfg</tt> should be group-owned by the <tt>root</tt>
+group to prevent reading or modification of the file.
+
+To properly set the group owner of <code>/boot/grub2/user.cfg</code>, run the command:
+<pre>$ sudo chgrp root /boot/grub2/user.cfg</pre>
       </td>
       <td xml:lang="en-US">
         The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
@@ -943,17 +961,16 @@
     </tr>
     <tr>
       <td>1.4.2</td>
-      <td>Verify /boot/grub2/grub.cfg User Ownership</td>
+      <td>Verify the UEFI Boot Loader grub.cfg Permissions</td>
       <td xml:lang="en-US">
-        The file <tt>/boot/grub2/grub.cfg</tt> should
-be owned by the <tt>root</tt> user to prevent destruction
/usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-cuirefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,57 +44,6 @@
   </thead>
   <tbody>
   <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Emergency Systemd Target</td>
-      <td xml:lang="en-US">
-        Emergency mode is intended as a system recovery
-method, providing a single user root access to the system
-during a failed boot sequence.
-<br /><br />
-By default, Emergency mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/emergency.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1<br/>3.4.5</td>
-      <td>Require Authentication for Single User Mode</td>
-      <td xml:lang="en-US">
-        Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
-<br /><br />
-By default, single-user mode is protected by requiring a password and is set
-in <tt>/usr/lib/systemd/system/rescue.service</tt>.
-      </td>
-      <td xml:lang="en-US">
-        This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.
-      </td>
-    </tr>
-    <tr>
-      <td>3.1.1</td>
-      <td>Disable GDM Automatic Login</td>
-      <td xml:lang="en-US">
-        The GNOME Display Manager (GDM) can allow users to automatically login without
-user interaction or credentials. User should always be required to authenticate themselves
-to the system that they are authorized to use. To disable user ability to automatically
-login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
-<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
-<pre>[daemon]
-AutomaticLoginEnable=false</pre>
-      </td>
-      <td xml:lang="en-US">
-        Failure to restrict system access to authenticated users negatively impacts operating
-system security.
-      </td>
-    </tr>
-    <tr>
       <td>3.1.1<br/>3.1.6</td>
       <td>Direct root Logins Not Allowed</td>
       <td xml:lang="en-US">
@@ -139,6 +88,55 @@
     </tr>
     <tr>
       <td>3.1.1<br/>3.1.5</td>
+      <td>Restrict Serial Port Root Logins</td>
+      <td xml:lang="en-US">
+        To restrict root logins on serial ports,
+ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
+<pre>ttyS0
+ttyS1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Preventing direct root login to serial port interfaces
+helps ensure accountability for actions taken on the systems
+using the root account.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Single User Mode</td>
+      <td xml:lang="en-US">
+        Single-user mode is intended as a system recovery
+method, providing a single user root access to the system by
+providing a boot option at startup.
+<br /><br />
+By default, single-user mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/rescue.service</tt>.
+      </td>
+      <td xml:lang="en-US">
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1</td>
+      <td>Disable GDM Automatic Login</td>
+      <td xml:lang="en-US">
+        The GNOME Display Manager (GDM) can allow users to automatically login without
+user interaction or credentials. User should always be required to authenticate themselves
+to the system that they are authorized to use. To disable user ability to automatically
+login to the system, set the <tt>AutomaticLoginEnable</tt> to <tt>false</tt> in the
+<tt>[daemon]</tt> section in <tt>/etc/gdm/custom.conf</tt>. For example:
+<pre>[daemon]
+AutomaticLoginEnable=false</pre>
+      </td>
+      <td xml:lang="en-US">
+        Failure to restrict system access to authenticated users negatively impacts operating
+system security.
+      </td>
+    </tr>
+    <tr>
+      <td>3.1.1<br/>3.1.5</td>
       <td>Disable SSH Access via Empty Passwords</td>
       <td xml:lang="en-US">
         Disallow SSH login with empty passwords.
@@ -163,18 +161,20 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.1<br/>3.1.5</td>
-      <td>Restrict Serial Port Root Logins</td>
+      <td>3.1.1<br/>3.4.5</td>
+      <td>Require Authentication for Emergency Systemd Target</td>
       <td xml:lang="en-US">
-        To restrict root logins on serial ports,
-ensure lines of this form do not appear in <tt>/etc/securetty</tt>:
-<pre>ttyS0
-ttyS1</pre>
+        Emergency mode is intended as a system recovery
+method, providing a single user root access to the system
+during a failed boot sequence.
+<br /><br />
+By default, Emergency mode is protected by requiring a password and is set
+in <tt>/usr/lib/systemd/system/emergency.service</tt>.
       </td>
       <td xml:lang="en-US">
-        Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.
+        This prevents attackers with physical access from trivially bypassing security
+on the machine and gaining root access. Such accesses are further prevented
+by configuring the bootloader password.
       </td>
     </tr>
     <tr>
@@ -258,10 +258,9 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
+      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by an argument in
-<tt>/etc/default/grub</tt>.
+        SELinux can be disabled at boot time by disabling it via a kernel argument.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -273,9 +272,10 @@
     </tr>
     <tr>
       <td>3.1.2<br/>3.7.2</td>
-      <td>Ensure SELinux Not Disabled in the kernel arguments</td>
+      <td>Ensure SELinux Not Disabled in /etc/default/grub</td>
       <td xml:lang="en-US">
-        SELinux can be disabled at boot time by disabling it via a kernel argument.
+        SELinux can be disabled at boot time by an argument in
+<tt>/etc/default/grub</tt>.
 Remove any instances of <tt>selinux=0</tt> from the kernel arguments in that
 file to prevent SELinux from being disabled at boot.
       </td>
@@ -286,21 +286,27 @@
       </td>
     </tr>
     <tr>
-      <td>3.1.2<br/>3.1.5<br/>3.7.2</td>
-      <td>Ensure No Daemons are Unconfined by SELinux</td>
+      <td>3.1.2<br/>3.4.5</td>
+      <td>Verify that Interactive Boot is Disabled</td>
       <td xml:lang="en-US">
-        Daemons for which the SELinux policy does not contain rules will inherit the
-context of the parent process. Because daemons are launched during
-startup and descend from the <tt>init</tt> process, they inherit the <tt>unconfined_service_t</tt> context.
-<br />
-<br />
-To check for unconfined daemons, run the following command:
-<pre>$ sudo ps -eZ | grep "unconfined_service_t"</pre>
-It should produce no output in a well-configured system.
+        Red Hat Enterprise Linux 8 systems support an "interactive boot" option that can
+be used to prevent services from being started. On a Red Hat Enterprise Linux 8
+system, interactive boot can be enabled by providing a <tt>1</tt>,
+<tt>yes</tt>, <tt>true</tt>, or <tt>on</tt> value to the
+<tt>systemd.confirm_spawn</tt> kernel argument in <tt>/etc/default/grub</tt>.
+Remove any instance of <pre>systemd.confirm_spawn=(1|yes|true|on)</pre> from
+the kernel arguments in that file to disable interactive boot.
+Recovery booting must also be disabled. Confirm that
+<tt>GRUB_DISABLE_RECOVERY=true</tt> is set in  <tt>/etc/default/grub</tt>.
+It is also required to change the runtime configuration, run:
+
/usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-nistrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -44,137 +44,47 @@
   </thead>
   <tbody>
   <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</td>
-      <td xml:lang="en-US">
-        The audit system should collect detailed unauthorized file accesses for
-all users and root. The <tt>open_by_handle_at</tt> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <tt>open_by_handle_at</tt> syscall are collected.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <tt>.rules</tt> in the directory
-<tt>/etc/audit/rules.d</tt>.
-
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the rules below to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-
-If the system is 64 bit then also add the following lines:
-<pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-modification
-</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2<br/>CM-8(3)<br/>IA-3</td>
-      <td>Log USBGuard daemon audit events using Linux Audit</td>
-      <td xml:lang="en-US">
-        To configure USBGuard daemon to log via Linux Audit
-(as opposed directly to a file),
-<tt>AuditBackend</tt> option in <tt>/etc/usbguard/usbguard-daemon.conf</tt>
-needs to be set to <tt>LinuxAudit</tt>.
-      </td>
-      <td xml:lang="en-US">
-        Using the Linux Audit logging allows for centralized trace
-of events.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Record Unsuccessful Permission Changes to Files - fremovexattr</td>
-      <td xml:lang="en-US">
-        The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <tt>auditd</tt> daemon is configured
-to use the <tt>augenrules</tt> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<tt>.rules</tt> in the directory <tt>/etc/audit/rules.d</tt>.
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following lines to
-<tt>/etc/audit/audit.rules</tt> file.
-<pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-If the system is 64 bit then also add the following lines:
-<pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=unsuccesful-perm-change</pre>
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(a)</td>
-      <td>Configure auditing of unsuccessful ownership changes</td>
-      <td xml:lang="en-US">
-        Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
-
-The following rules configure audit as described above:
-<pre>## Unsuccessful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change    </pre>
-
-Load new Audit rules into kernel by running:
-<pre>augenrules --load</pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
-      </td>
-      <td xml:lang="en-US">
-        Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.
-      </td>
-    </tr>
-    <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - unlinkat</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record Attempts to Alter Logon and Logout Events - tallylog</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        The audit system already collects login information for all users
+and root. If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+default), add the following lines to a file with suffix <tt>.rules</tt> in the
+directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
 If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
+utility to read audit rules during daemon startup, add the following lines to
+<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
+edits of files involved in storing logon events:
+<pre>-w /var/log/tallylog -p wa -k logins</pre>
       </td>
       <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.
+        Manual editing of these files may indicate nefarious activity, such
+as an attacker attempting to remove evidence of an intrusion.
       </td>
     </tr>
     <tr>
       <td>AU-2(a)</td>
-      <td>Configure auditing of successful file creations</td>
+      <td>Configure auditing of unsuccessful file modifications</td>
       <td xml:lang="en-US">
-        Ensure that successful attempts to create a file are audited.
+        Ensure that unsuccessful attempts to modify a file are audited.
 
 The following rules configure audit as described above:
-<pre>## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create    </pre>
+<pre>## Unsuccessful file modifications (open for write or truncate)
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
+-a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification    </pre>
 
 Load new Audit rules into kernel by running:
 <pre>augenrules --load</pre>
@@ -182,83 +92,30 @@
 Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.
       </td>
       <td xml:lang="en-US">
-        Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.
+        Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.
       </td>
     </tr>
     <tr>
-      <td>AU-2(d)<br/>AU-12(c)<br/>CM-6(a)</td>
-      <td>Ensure auditd Collects File Deletion Events by User - rename</td>
+      <td>AU-2(d)<br/>AU-12(c)<br/>AC-6(9)<br/>CM-6(a)</td>
+      <td>Record attempts to alter time through adjtimex</td>
       <td xml:lang="en-US">
-        At a minimum, the audit system should collect file deletion events
-for all users and root. If the <tt>auditd</tt> daemon is configured to use the
+        If the <tt>auditd</tt> daemon is configured to use the
 <tt>augenrules</tt> program to read audit rules during daemon startup (the
 default), add the following line to a file with suffix <tt>.rules</tt> in the
-directory <tt>/etc/audit/rules.d</tt>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
-utility to read audit rules during daemon startup, add the following line to
-<tt>/etc/audit/audit.rules</tt> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</pre>
-      </td>
-      <td xml:lang="en-US">
-        Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
/usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html differs (HTML document, ASCII text, with very long lines)
--- old//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/tables/table-rhel8-pcidssrefs.html	2023-07-27 00:00:00.000000000 +0000
@@ -45,7 +45,7 @@
   <tbody>
   <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for IPv6 loopback traffic</td>
+      <td>Set configuration for loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -54,14 +54,14 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen,
-all other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen, all
+other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
     <tr>
       <td>Req-1.3</td>
-      <td>Set configuration for loopback traffic</td>
+      <td>Set configuration for IPv6 loopback traffic</td>
       <td xml:lang="en-US">
         Configure the loopback interface to accept traffic.
 Configure all other interfaces to deny traffic to the loopback
@@ -70,8 +70,8 @@
       <td xml:lang="en-US">
         Loopback traffic is generated between processes on machine and is
 typically critical to operation of the system. The loopback interface
-is the only place that loopback network traffic should be seen, all
-other interfaces should ignore traffic on this network as an
+is the only place that loopback network traffic should be seen,
+all other interfaces should ignore traffic on this network as an
 anti-spoofing measure.
       </td>
     </tr>
@@ -149,20 +149,6 @@
     </tr>
     <tr>
       <td>Req-1.4.1</td>
-      <td>Install iptables Package</td>
-      <td xml:lang="en-US">
-        The <code>iptables</code> package can be installed with the following command:
-<pre>
-$ sudo yum install iptables</pre>
-      </td>
-      <td xml:lang="en-US">
-        <tt>iptables</tt> controls the Linux kernel network packet filtering
-code. <tt>iptables</tt> allows system operators to set up firewalls and IP
-masquerading, etc.
-      </td>
-    </tr>
-    <tr>
-      <td>Req-1.4.1</td>
       <td>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</td>
       <td xml:lang="en-US">
         To set the runtime status of the <code>net.ipv4.tcp_syncookies</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</pre>
@@ -178,6 +164,20 @@
       </td>
     </tr>
     <tr>
+      <td>Req-1.4.1</td>
+      <td>Install iptables Package</td>
+      <td xml:lang="en-US">
+        The <code>iptables</code> package can be installed with the following command:
+<pre>
+$ sudo yum install iptables</pre>
+      </td>
+      <td xml:lang="en-US">
+        <tt>iptables</tt> controls the Linux kernel network packet filtering
+code. <tt>iptables</tt> allows system operators to set up firewalls and IP
+masquerading, etc.
+      </td>
+    </tr>
+    <tr>
       <td>Req-1.4.2</td>
       <td>Disable SCTP Support</td>
       <td xml:lang="en-US">
@@ -222,17 +222,35 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
+      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
+        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
       </td>
       <td xml:lang="en-US">
-        Responding to broadcast (ICMP) echoes facilitates network mapping
-and provides a vector for amplification attacks.
-<br />
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast
-addresses makes the system slightly more difficult to enumerate on the network.
+        Source-routed packets allow the source of the packet to suggest routers
+forward the packet along a different path than configured on the router, which can
+be used to bypass network security measures. This requirement applies only to the
+forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
+the system is functioning as a router.
+
+Accepting source-routed packets in the IPv6 protocol has few legitimate
+uses. It should be disabled unless it is absolutely required.
+      </td>
+    </tr>
+    <tr>
+      <td>Req-1.4.3</td>
+      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td xml:lang="en-US">
+        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+      </td>
+      <td xml:lang="en-US">
+        Enabling reverse path filtering drops packets with source addresses
+that should not have been able to be received on the interface they were
+received on. It should not be used on systems which are routers for
+complicated networks, but is helpful for end hosts and routers serving small
+networks.
       </td>
     </tr>
     <tr>
@@ -250,17 +268,14 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</td>
+      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.conf.all.rp_filter</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.conf.all.rp_filter = 1</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.
+        Ignoring bogus ICMP error responses reduces
+log size, although some activity would not be logged.
       </td>
     </tr>
     <tr>
@@ -281,32 +296,33 @@
     </tr>
     <tr>
       <td>Req-1.4.3</td>
-      <td>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</td>
+      <td>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv6.conf.default.accept_source_route</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv6.conf.default.accept_source_route = 0</pre>
+        To set the runtime status of the <code>net.ipv4.icmp_echo_ignore_broadcasts</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</pre>
+To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</pre>
       </td>
       <td xml:lang="en-US">
-        Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.
+        Responding to broadcast (ICMP) echoes facilitates network mapping
+and provides a vector for amplification attacks.
+<br />
+Ignoring ICMP echo requests (pings) sent to broadcast or multicast
+addresses makes the system slightly more difficult to enumerate on the network.
       </td>
     </tr>
     <tr>
-      <td>Req-1.4.3</td>
-      <td>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</td>
+      <td>Req-2.2</td>
+      <td>Configure SSH to use System Crypto Policy</td>
       <td xml:lang="en-US">
-        To set the runtime status of the <code>net.ipv4.icmp_ignore_bogus_error_responses</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</pre>
+        Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
+SSH is supported by crypto policy, but the SSH configuration may be
+set up to ignore it.
+To check that Crypto Policies settings are configured correctly, ensure that
+the <tt>CRYPTO_POLICY</tt> variable is either commented or not set at all
+in the <tt>/etc/sysconfig/sshd</tt>.
       </td>
       <td xml:lang="en-US">
-        Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.
+        Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
+and makes system configuration more fragmented.
       </td>
     </tr>
     <tr>
/usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel7_stig_delta_tailoring.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2023-07-27T15:50:24.131994">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig"><xccdf-1.2:title override="true">DISA STIG for Red Hat Enterprise Linux 7</xccdf-1.2:title>
+<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2039-08-29T05:10:46.936547">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig"><xccdf-1.2:title override="true">DISA STIG for Red Hat Enterprise Linux 7</xccdf-1.2:title>
         <xccdf-1.2:description override="true">This profile contains configuration checks that align to the
 DISA STIG for Red Hat Enterprise Linux V3R10.
 
/usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml differs (ASCII text, with very long lines)
--- old//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/scap-security-guide/tailoring/rhel8_stig_delta_tailoring.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,4 +1,4 @@
-<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2023-07-27T15:54:55.286643">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig"><xccdf-1.2:title override="true">DISA STIG for Red Hat Enterprise Linux 8</xccdf-1.2:title>
+<xccdf-1.2:Tailoring xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" id="xccdf_content-disa-delta_tailoring_default"><xccdf-1.2:version time="2039-08-29T05:19:24.996724">1</xccdf-1.2:version><xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig_delta_tailoring" extends="xccdf_org.ssgproject.content_profile_stig"><xccdf-1.2:title override="true">DISA STIG for Red Hat Enterprise Linux 8</xccdf-1.2:title>
         <xccdf-1.2:description override="true">This profile contains configuration checks that align to the
 DISA STIG for Red Hat Enterprise Linux 8 V1R9.
 
/usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -53,7 +53,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -106,29 +106,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -139,66 +152,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -206,36 +230,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -55,7 +55,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -108,29 +108,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -141,66 +154,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -208,36 +232,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,29 +51,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" />
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -84,66 +97,77 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1" />
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1" />
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -151,36 +175,36 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
+    <cpe-lang:platform id="sssd-ldap">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
     <cpe-lang:platform id="not_rhcos4-rhel9">
       <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony_or_package_ntp">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_net-snmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1" />
       </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -81,7 +81,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel8-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -134,29 +134,47 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -167,77 +185,89 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="no_ovirt">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -245,36 +275,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
/usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -83,7 +83,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel8-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -136,29 +136,47 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -169,77 +187,89 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="no_ovirt">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -247,36 +277,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
/usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-centos8-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -51,29 +51,47 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" />
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -84,77 +102,89 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1" />
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="no_ovirt">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -162,36 +192,36 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
+    <cpe-lang:platform id="sssd-ldap">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
     <cpe-lang:platform id="not_rhcos4-rhel9">
       <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1" />
/usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -37,7 +37,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel9-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -90,20 +90,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_ppc64le_arch">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_aarch64_arch_and_not_ppc64le_arch">
@@ -116,22 +105,37 @@
             </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_ppc64le_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -139,62 +143,71 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="ppc64le_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -203,86 +216,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -39,7 +39,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel9-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -92,20 +92,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_ppc64le_arch">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_aarch64_arch_and_not_ppc64le_arch">
@@ -118,22 +107,37 @@
             </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_ppc64le_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -141,62 +145,71 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="ppc64le_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -205,86 +218,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-cs9-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -51,20 +51,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="package_net-snmp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1" />
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_ppc64le_arch">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_aarch64_arch_and_not_ppc64le_arch">
@@ -77,22 +66,37 @@
         </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1" />
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" />
+          </cpe-lang:logical-test>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1" />
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_ppc64le_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_postfix">
@@ -100,62 +104,71 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="machine_and_not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1" />
+        </cpe-lang:logical-test>
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="ppc64le_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1" />
+    <cpe-lang:platform id="package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -164,86 +177,77 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
/usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -49,7 +49,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-fedora-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_FEDORA" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Fedora</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Fedora. It is a rendering of
@@ -92,24 +92,52 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -120,55 +148,62 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_sssd">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -181,26 +216,20 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -208,19 +237,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -49,7 +49,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-fedora-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_FEDORA" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Fedora</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Fedora. It is a rendering of
@@ -92,24 +92,52 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -120,55 +148,62 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_sssd">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -181,26 +216,20 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -208,19 +237,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,2609 +7,2609 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-package_tar_installed_ocil:questionnaire:1">
-      <ocil:title>Install tar Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_tar_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
+      <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
+      <ocil:title>Prevent user from disabling the screen lock</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_ocil:questionnaire:1">
-      <ocil:title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
-      <ocil:title>Configure server restrictions for ntpd</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_sudo_log_events_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to perform maintenance activities</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_sudo_log_events_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-socket_systemd-journal-remote_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable systemd-journal-remote Socket</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_module_iwlwifi_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel iwlwifi Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-enable_fips_mode_ocil:questionnaire:1">
+      <ocil:title>Enable FIPS Mode</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-enable_fips_mode_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1">
+      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_nginx_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall nginx Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_nginx_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_fsetxattr_ocil:questionnaire:1">
-      <ocil:title>Record Successful Permission Changes to Files - fsetxattr</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_nolisten_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-configure_usbguard_auditbackend_ocil:questionnaire:1">
-      <ocil:title>Log USBGuard daemon audit events using Linux Audit</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
+      <ocil:title>Configure server restrictions for ntpd</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-fedora-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_FEDORA" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Fedora</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Fedora. It is a rendering of
@@ -43,24 +43,52 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_postfix">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -71,55 +99,62 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="package_sssd">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -132,26 +167,20 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony_or_package_ntp">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_net-snmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -159,19 +188,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-fedora-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
/usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ol7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 7. It is a rendering of
@@ -76,37 +76,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="os_linux_ol_le_7_4">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_le_7_4:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -114,60 +119,69 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_tftp-server">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_ol_le_7_4">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_le_7_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="package_libuser">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -176,75 +190,70 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="sssd-ldap">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
           </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -35,7 +35,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ol7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 7. It is a rendering of
@@ -78,37 +78,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="os_linux_ol_le_7_4">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_le_7_4:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -116,60 +121,69 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_tftp-server">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_ol_le_7_4">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_le_7_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="package_libuser">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -178,75 +192,70 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="sssd-ldap">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
           </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,922 +7,928 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-package_tar_installed_ocil:questionnaire:1">
-      <ocil:title>Install tar Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_tar_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
+      <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_ocil:questionnaire:1">
-      <ocil:title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1">
+      <ocil:title>Enable the logging_syslogd_use_tty SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ensure_oracle_gpgkey_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure Oracle Linux GPG Key Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ensure_oracle_gpgkey_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_guest_exec_content_ocil:questionnaire:1">
+      <ocil:title>Disable the guest_exec_content SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_guest_exec_content_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sssd_ldap_configure_tls_ca_dir_ocil:questionnaire:1">
-      <ocil:title>Configure SSSD LDAP Backend Client CA Certificate Location</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
+      <ocil:actions>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
+      </ocil:actions>
+    </ocil:questionnaire>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1">
       <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_fsetxattr_ocil:questionnaire:1">
-      <ocil:title>Record Successful Permission Changes to Files - fsetxattr</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
/usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_OL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 7</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 7. It is a rendering of
@@ -43,37 +43,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="os_linux_ol_le_7_4">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_le_7_4:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_postfix">
@@ -81,60 +86,69 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_not_osbuild">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="package_tftp-server">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_ol_le_7_4">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_le_7_4:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_rhcos4-rhel9">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+    <cpe-lang:platform id="package_libuser">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -143,75 +157,70 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="sssd-ldap">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
/usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ol8-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 8</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 8. It is a rendering of
@@ -76,24 +76,52 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -104,65 +132,62 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="package_libuser">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -171,81 +196,70 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="sssd-ldap">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
/usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -35,7 +35,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ol8-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 8</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 8. It is a rendering of
@@ -78,24 +78,52 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -106,65 +134,62 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="package_libuser">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -173,81 +198,70 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="sssd-ldap">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
/usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,490 +7,491 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-package_tar_installed_ocil:questionnaire:1">
-      <ocil:title>Install tar Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_tar_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
+      <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
+      <ocil:title>Prevent user from disabling the screen lock</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_password_hashing_min_rounds_logindefs_ocil:questionnaire:1">
-      <ocil:title>Set Password Hashing Rounds in /etc/login.defs</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_ocil:questionnaire:1">
-      <ocil:title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1">
+      <ocil:title>Enable the logging_syslogd_use_tty SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ensure_oracle_gpgkey_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure Oracle Linux GPG Key Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ensure_oracle_gpgkey_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_guest_exec_content_ocil:questionnaire:1">
+      <ocil:title>Disable the guest_exec_content SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_guest_exec_content_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sssd_ldap_configure_tls_ca_dir_ocil:questionnaire:1">
-      <ocil:title>Configure SSSD LDAP Backend Client CA Certificate Location</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-enable_fips_mode_ocil:questionnaire:1">
+      <ocil:title>Enable FIPS Mode</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sssd_ldap_configure_tls_ca_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-enable_fips_mode_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
-      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_fsetxattr_ocil:questionnaire:1">
-      <ocil:title>Record Successful Permission Changes to Files - fsetxattr</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupownership_lastlog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns lastlog Command</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol8-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_OL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 8</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 8. It is a rendering of
@@ -43,24 +43,52 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_postfix">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -71,65 +99,62 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_rhcos4-rhel9">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+    <cpe-lang:platform id="package_libuser">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -138,81 +163,70 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="sssd-ldap">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sudo">
-      <cpe-lang:logical-test operator="AND" negate="false">
/usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ol9-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 9</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 9. It is a rendering of
@@ -76,23 +76,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_yum">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -100,45 +119,55 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -147,25 +176,30 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="package_chrony">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -173,19 +207,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -193,52 +222,34 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -35,7 +35,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ol9-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 9</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 9. It is a rendering of
@@ -78,23 +78,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_yum">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -102,45 +121,55 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -149,25 +178,30 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="package_chrony">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -175,19 +209,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -195,52 +224,34 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,466 +7,473 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
+      <ocil:title>Prevent user from disabling the screen lock</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_password_hashing_min_rounds_logindefs_ocil:questionnaire:1">
-      <ocil:title>Set Password Hashing Rounds in /etc/login.defs</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ensure_oracle_gpgkey_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure Oracle Linux GPG Key Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ensure_oracle_gpgkey_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-enable_fips_mode_ocil:questionnaire:1">
+      <ocil:title>Enable FIPS Mode</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-enable_fips_mode_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Router Preference in Router Advertisements on All IPv6 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-configure_usbguard_auditbackend_ocil:questionnaire:1">
-      <ocil:title>Log USBGuard daemon audit events using Linux Audit</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1">
+      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-configure_usbguard_auditbackend_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-bios_enable_execution_restrictions_ocil:questionnaire:1">
-      <ocil:title>Enable NX or XD Support in the BIOS</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-bios_enable_execution_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_nolisten_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_modify_failed_ocil:questionnaire:1">
+      <ocil:title>Configure auditing of unsuccessful file modifications</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ol9-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_OL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Oracle Linux 9</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Oracle Linux 9. It is a rendering of
@@ -43,23 +43,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_yum">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_postfix">
@@ -67,45 +86,55 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="machine_and_not_osbuild">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -114,25 +143,30 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="package_chrony">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -140,19 +174,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -160,52 +189,34 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ol9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHCOS-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -76,78 +76,74 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="rhcos4-rhel9">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -156,20 +152,30 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_chrony">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -177,19 +183,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -197,40 +198,45 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18_and_krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHCOS-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -76,78 +76,74 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="rhcos4-rhel9">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -156,20 +152,30 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_chrony">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -177,19 +183,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -197,40 +198,45 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18_and_krb5_workstation_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,778 +7,766 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
-      <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
-      </ocil:actions>
-    </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
-      <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
-      </ocil:actions>
-    </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
+      <ocil:title>Prevent user from disabling the screen lock</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1">
-      <ocil:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-zipl_audit_argument_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-enable_fips_mode_ocil:questionnaire:1">
+      <ocil:title>Enable FIPS Mode</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-enable_fips_mode_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_module_iwlwifi_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel iwlwifi Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Samba Common Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
-      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_modify_failed_ocil:questionnaire:1">
+      <ocil:title>Configure auditing of unsuccessful file modifications</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_modify_failed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-configure_usbguard_auditbackend_ocil:questionnaire:1">
-      <ocil:title>Log USBGuard daemon audit events using Linux Audit</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-configure_usbguard_auditbackend_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_module_cfg80211_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel cfg80211 Module</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog is Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_enable_selinux_ocil:questionnaire:1">
-      <ocil:title>Ensure SELinux Not Disabled in /etc/default/grub</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_enable_selinux_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_ocil:questionnaire:1">
-      <ocil:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+      <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_module_atm_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable ATM Support</ocil:title>
/usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhcos4-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHCOS-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
@@ -43,78 +43,74 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="rhcos4-rhel9">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_not_osbuild">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="rhcos4-rhel9">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_rhcos4-rhel9">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+    <cpe-lang:platform id="machine_and_package_ufw">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -123,20 +119,30 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="not_rhcos4-rhel9">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_chrony">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -144,19 +150,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -164,40 +165,45 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="wifi-iface">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18_and_krb5_workstation_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -49,7 +49,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -92,29 +92,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -125,66 +138,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -192,36 +216,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -51,7 +51,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -94,29 +94,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -127,66 +140,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -194,36 +218,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,772 +7,772 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-package_tar_installed_ocil:questionnaire:1">
-      <ocil:title>Install tar Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_httpd_can_network_relay_ocil:questionnaire:1">
+      <ocil:title>Disable the httpd_can_network_relay SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_tar_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-httpd_enable_log_config_ocil:questionnaire:1">
+      <ocil:title>Enable log_config_module For HTTPD Logging</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-httpd_enable_log_config_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
+      <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_zoneminder_run_sudo_ocil:questionnaire:1">
-      <ocil:title>Disable the zoneminder_run_sudo SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable Samba</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_ocil:questionnaire:1">
-      <ocil:title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
-      <ocil:title>Configure server restrictions for ntpd</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_ftpd_connect_all_unreserved_ocil:questionnaire:1">
-      <ocil:title>Disable the ftpd_connect_all_unreserved SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_xen_use_nfs_ocil:questionnaire:1">
+      <ocil:title>Disable the xen_use_nfs SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_xen_use_nfs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1">
+      <ocil:title>Enable the logging_syslogd_use_tty SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-has_nonlocal_mta_ocil:questionnaire:1">
+      <ocil:title>Ensure Mail Transfer Agent is not Listening on any non-loopback Address</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-has_nonlocal_mta_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Samba Common Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_cluster_use_execmem_ocil:questionnaire:1">
+      <ocil:title>Disable the cluster_use_execmem SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_cluster_use_execmem_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_smbd_anon_write_ocil:questionnaire:1">
+      <ocil:title>Disable the smbd_anon_write SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_smbd_anon_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-httpd_enable_loglevel_ocil:questionnaire:1">
-      <ocil:title>Enable HTTPD LogLevel</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-httpd_enable_loglevel_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_tftp_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable tftp Service</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -43,29 +43,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -76,66 +89,77 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -143,36 +167,36 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
+    <cpe-lang:platform id="sssd-ldap">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
     <cpe-lang:platform id="not_rhcos4-rhel9">
       <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony_or_package_ntp">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_net-snmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -77,7 +77,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel8-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -120,29 +120,47 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -153,77 +171,89 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="no_ovirt">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -231,36 +261,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
/usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -79,7 +79,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel8-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -122,29 +122,47 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -155,77 +173,89 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="no_ovirt">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -233,36 +263,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
/usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,862 +7,881 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-package_tar_installed_ocil:questionnaire:1">
-      <ocil:title>Install tar Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_httpd_can_network_relay_ocil:questionnaire:1">
+      <ocil:title>Disable the httpd_can_network_relay SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_tar_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-httpd_enable_log_config_ocil:questionnaire:1">
+      <ocil:title>Enable log_config_module For HTTPD Logging</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-httpd_enable_log_config_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-partition_for_usr_ocil:questionnaire:1">
+      <ocil:title>Ensure /usr Located On Separate Partition</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-partition_for_usr_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
+      <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_kernel_module_loading_query_ocil:questionnaire:1">
+      <ocil:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_kernel_module_loading_query_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_password_hashing_min_rounds_logindefs_ocil:questionnaire:1">
-      <ocil:title>Set Password Hashing Rounds in /etc/login.defs</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
+      <ocil:title>Prevent user from disabling the screen lock</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_zoneminder_run_sudo_ocil:questionnaire:1">
-      <ocil:title>Disable the zoneminder_run_sudo SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_ocil:questionnaire:1">
-      <ocil:title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable Samba</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1">
-      <ocil:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-zipl_audit_argument_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_ftpd_connect_all_unreserved_ocil:questionnaire:1">
-      <ocil:title>Disable the ftpd_connect_all_unreserved SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_xen_use_nfs_ocil:questionnaire:1">
+      <ocil:title>Disable the xen_use_nfs SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_xen_use_nfs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1">
+      <ocil:title>Enable the logging_syslogd_use_tty SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-socket_systemd-journal-remote_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable systemd-journal-remote Socket</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-has_nonlocal_mta_ocil:questionnaire:1">
+      <ocil:title>Ensure Mail Transfer Agent is not Listening on any non-loopback Address</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-has_nonlocal_mta_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_module_iwlwifi_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel iwlwifi Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_cluster_use_execmem_ocil:questionnaire:1">
+      <ocil:title>Disable the cluster_use_execmem SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_cluster_use_execmem_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Samba Common Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_sudo_log_events_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to perform maintenance activities</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_sudo_log_events_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_smbd_anon_write_ocil:questionnaire:1">
+      <ocil:title>Disable the smbd_anon_write SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_smbd_anon_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_immutable_login_uids_ocil:questionnaire:1">
+      <ocil:title>Configure immutable Audit login UIDs</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_immutable_login_uids_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-httpd_enable_loglevel_ocil:questionnaire:1">
-      <ocil:title>Enable HTTPD LogLevel</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel8-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-8" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 8</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 8. It is a rendering of
@@ -43,29 +43,47 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -76,77 +94,89 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="no_ovirt">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -154,36 +184,36 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
+    <cpe-lang:platform id="sssd-ldap">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel8-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
     <cpe-lang:platform id="not_rhcos4-rhel9">
       <cpe-lang:logical-test operator="AND" negate="true">
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel9-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -76,20 +76,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_ppc64le_arch">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_aarch64_arch_and_not_ppc64le_arch">
@@ -102,22 +91,37 @@
             </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_ppc64le_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -125,62 +129,71 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="ppc64le_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -189,86 +202,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -35,7 +35,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel9-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -78,20 +78,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_net-snmp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_ppc64le_arch">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_aarch64_arch_and_not_ppc64le_arch">
@@ -104,22 +93,37 @@
             </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="package_usbguard">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_ppc64le_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_postfix">
@@ -127,62 +131,71 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="ppc64le_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="package_ntp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -191,86 +204,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml differs (XML 1.0 document, ASCII text)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,202 +7,196 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
-      <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
-      </ocil:actions>
-    </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_httpd_can_network_relay_ocil:questionnaire:1">
+      <ocil:title>Disable the httpd_can_network_relay SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_httpd_can_network_relay_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_sgid_ocil:questionnaire:1">
+      <ocil:title>Ensure All SGID Executables Are Authorized</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_sgid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
+      <ocil:title>Record Successful Creation Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_kernel_module_loading_query_ocil:questionnaire:1">
+      <ocil:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading - query_module</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_kernel_module_loading_query_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_password_hashing_min_rounds_logindefs_ocil:questionnaire:1">
-      <ocil:title>Set Password Hashing Rounds in /etc/login.defs</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
+      <ocil:title>Prevent user from disabling the screen lock</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_password_hashing_min_rounds_logindefs_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_zoneminder_run_sudo_ocil:questionnaire:1">
-      <ocil:title>Disable the zoneminder_run_sudo SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_zoneminder_run_sudo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_ocil:questionnaire:1">
-      <ocil:title>Ensure Users Cannot Change GNOME3 Screensaver Idle Activation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_smb_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable Samba</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-dconf_gnome_screensaver_idle_activation_locked_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_smb_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1">
-      <ocil:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-zipl_audit_argument_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_ftpd_connect_all_unreserved_ocil:questionnaire:1">
-      <ocil:title>Disable the ftpd_connect_all_unreserved SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_ftpd_connect_all_unreserved_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_xen_use_nfs_ocil:questionnaire:1">
+      <ocil:title>Disable the xen_use_nfs SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_xen_use_nfs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-      <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1">
+      <ocil:title>Enable the logging_syslogd_use_tty SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-socket_systemd-journal-remote_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable systemd-journal-remote Socket</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-has_nonlocal_mta_ocil:questionnaire:1">
+      <ocil:title>Ensure Mail Transfer Agent is not Listening on any non-loopback Address</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-has_nonlocal_mta_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_module_iwlwifi_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel iwlwifi Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_cluster_use_execmem_ocil:questionnaire:1">
+      <ocil:title>Disable the cluster_use_execmem SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_cluster_use_execmem_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Samba Common Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_modify_success_aarch64_ocil:questionnaire:1">
+      <ocil:title>Configure auditing of successful file modifications (AArch64)</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_modify_success_aarch64_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_sudo_log_events_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to perform maintenance activities</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_sudo_log_events_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_ocil:questionnaire:1">
-      <ocil:title>Configure Accepting Prefix Information in Router Advertisements on All IPv6 Interfaces By Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_smbd_anon_write_ocil:questionnaire:1">
+      <ocil:title>Disable the smbd_anon_write SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_pinfo_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_smbd_anon_write_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhel9-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-9" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 9</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 9. It is a rendering of
@@ -43,20 +43,9 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="package_net-snmp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_ppc64le_arch">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_aarch64_arch_and_not_ppc64le_arch">
@@ -69,22 +58,37 @@
         </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="package_usbguard">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_usbguard:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_ppc64le_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_postfix">
@@ -92,62 +96,71 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="machine_and_not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="ppc64le_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="package_ntp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_gt_or_eq_8_7_and_os_linux_rhel_ne_9_0">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_8_7:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_ne_9_0:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_s390x_arch">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -156,86 +169,77 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel9-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -37,7 +37,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhv4-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHV-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Virtualization 4</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -80,19 +80,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -103,54 +108,61 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
@@ -158,15 +170,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:platform id="package_chrony">
+          <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_sudo">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_systemd">
@@ -174,14 +185,19 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
+        <cpe-lang:platform id="grub2">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
@@ -194,34 +210,34 @@
             </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="package_polkit">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="package_audit">
/usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -37,7 +37,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhv4-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHV-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Virtualization 4</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -80,19 +80,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -103,54 +108,61 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
@@ -158,15 +170,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:platform id="package_chrony">
+          <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_sudo">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_systemd">
@@ -174,14 +185,19 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
+        <cpe-lang:platform id="grub2">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
@@ -194,34 +210,34 @@
             </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="package_polkit">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="package_audit">
/usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,2518 +7,2518 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-package_tar_installed_ocil:questionnaire:1">
-      <ocil:title>Install tar Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_firewalld_ports_ocil:questionnaire:1">
+      <ocil:title>Configure the Firewalld Ports</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_tar_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_firewalld_ports_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
+      <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_logging_syslogd_use_tty_ocil:questionnaire:1">
+      <ocil:title>Enable the logging_syslogd_use_tty SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_logging_syslogd_use_tty_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_permission_user_init_files_ocil:questionnaire:1">
+      <ocil:title>Ensure All User Initialization Files Have Mode 0740 Or Less Permissive</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_permission_user_init_files_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-tftpd_uses_secure_mode_ocil:questionnaire:1">
-      <ocil:title>Ensure tftp Daemon Uses Secure Mode</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_noexec_remote_filesystems_ocil:questionnaire:1">
+      <ocil:title>Mount Remote Filesystems with noexec</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-tftpd_uses_secure_mode_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_noexec_remote_filesystems_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Samba Common Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_ypserv_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall ypserv Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_ypserv_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sebool_guest_exec_content_ocil:questionnaire:1">
+      <ocil:title>Disable the guest_exec_content SELinux Boolean</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sebool_guest_exec_content_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_opt_nosuid_ocil:questionnaire:1">
-      <ocil:title>Add nosuid Option to /opt</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-enable_fips_mode_ocil:questionnaire:1">
+      <ocil:title>Enable FIPS Mode</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_opt_nosuid_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-enable_fips_mode_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
-      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_successful_file_modification_fsetxattr_ocil:questionnaire:1">
-      <ocil:title>Record Successful Permission Changes to Files - fsetxattr</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_successful_file_modification_fsetxattr_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_nolisten_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sebool_xguest_use_bluetooth_ocil:questionnaire:1">
-      <ocil:title>Disable the xguest_use_bluetooth SELinux Boolean</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sebool_xguest_use_bluetooth_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_enable_selinux_ocil:questionnaire:1">
-      <ocil:title>Ensure SELinux Not Disabled in /etc/default/grub</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_enable_selinux_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_ocil:questionnaire:1">
-      <ocil:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-rhv4-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHV-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Virtualization 4</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Virtualization 4. It is a rendering of
@@ -43,19 +43,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_postfix">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -66,54 +71,61 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_rhcos4-rhel9">
@@ -121,15 +133,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony_or_package_ntp">
-      <cpe-lang:logical-test operator="OR" negate="false">
+    <cpe-lang:platform id="package_chrony">
+      <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_sudo">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_systemd">
@@ -137,14 +148,19 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sudo">
+    <cpe-lang:platform id="grub2">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
@@ -157,34 +173,34 @@
         </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="machine">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="grub2">
+    <cpe-lang:platform id="uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="wifi-iface">
+    <cpe-lang:platform id="package_polkit">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhv4-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
+    <cpe-lang:platform id="package_audit">
       <cpe-lang:logical-test operator="AND" negate="false">
/usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -53,7 +53,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -106,29 +106,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -139,66 +152,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -206,36 +230,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -55,7 +55,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-rhel7-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -108,29 +108,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1"/>
+              </cpe-lang:logical-test>
+              <cpe-lang:logical-test operator="AND" negate="false">
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1"/>
+                <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+              </cpe-lang:logical-test>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_net-snmp">
+        <cpe-lang:platform id="package_yum">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -141,66 +154,77 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_tftp-server">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="krb5_server_older_than_1_17-18">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+        <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1"/>
+            <cpe-lang:logical-test operator="OR" negate="false">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_polkit">
+        <cpe-lang:platform id="package_libuser">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_yum">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_libuser">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nss-pam-ldapd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -208,36 +232,36 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="sssd-ldap">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="not_rhcos4-rhel9">
           <cpe-lang:logical-test operator="AND" negate="true">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_tftp-server">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_net-snmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml differs (ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-sl7-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,5 +1,5 @@
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_RHEL-7" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux 7</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat Enterprise Linux 7. It is a rendering of
@@ -51,29 +51,42 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="not_aarch64_arch_and_os_linux_ol_gt_or_eq_9_0_or_aarch64_arch_and_os_linux_rhel_gt_or_eq_9_0_or_os_linux_rhel_le_or_eq_8_4_and_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:logical-test operator="OR" negate="false">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_ol_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_gt_or_eq_9_0:def:1" />
+          </cpe-lang:logical-test>
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_4:def:1" />
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" />
+          </cpe-lang:logical-test>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_net-snmp">
+    <cpe-lang:platform id="package_yum">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="os_linux_rhel_le_or_eq_8_5">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-os_linux_rhel_le_or_eq_8_5:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -84,66 +97,77 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_tftp-server">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="krb5_server_older_than_1_17-18">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_server_older_than_1_17_18:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="krb5_workstation_older_than_1_17-18_and_no_ovirt">
+    <cpe-lang:platform id="machine_and_package_chrony_or_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_no_ovirt:def:1" />
+        <cpe-lang:logical-test operator="OR" negate="false">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1" />
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_polkit">
+    <cpe-lang:platform id="package_libuser">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_polkit:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_yum">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_yum:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_libuser">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_libuser:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nss-pam-ldapd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_nss-pam-ldapd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -151,36 +175,36 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
+    <cpe-lang:platform id="sssd-ldap">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-sssd_conf_uses_ldap:def:1" />
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
     <cpe-lang:platform id="not_rhcos4-rhel9">
       <cpe-lang:logical-test operator="AND" negate="true">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony_or_package_ntp">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1" />
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_tftp-server">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_tftp-server:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1" />
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_net-snmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1" />
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhel7-cpe-oval.xml" id-ref="oval:ssg-package_net-snmp:def:1" />
       </cpe-lang:logical-test>
RPMS.2017/scap-security-guide-ubuntu-0.1.68-0.0.noarch.rpm RPMS/scap-security-guide-ubuntu-0.1.68-0.0.noarch.rpm differ: byte 225, line 1
Comparing scap-security-guide-ubuntu-0.1.68-0.0.noarch.rpm to scap-security-guide-ubuntu-0.1.68-0.0.noarch.rpm
comparing the rpm tags of scap-security-guide-ubuntu
--- old-rpm-tags
+++ new-rpm-tags
@@ -196,4 +196,4 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html ed09b1175d7f4dfc8ba3cc5e5422c175264d2712f1eefee7674d67529775579e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html a43651ac6de196bfbe24a98ce893f99ccf977297389d1529e643a6d63e1292bf 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html a009eeecf0a4300f25bc1bbf60c1307b5d7232223488125affb1ca7e9365d06d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 0d9d9cadd2c24f704137a394a6305318a8c4b05cd382d1b8e88b00dcbff3fdfe 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html 9ac09eebcf3e657d15dbc46ad3b9282b568f7eef4a71e965fb20d10f9a86fb77 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html 802b69f60d52487a7391a05da13b12929d45fe5c41b47e0196a4ac446644b788 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html d452a48f58523598a17533c56a28b34219d5ef1d7bd19af724b7aa86d79e512e 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html 1cc2ee44a556fae5fd6cf28590cb3ae8b0137542dc8a196b673986f03b0fc703 2
@@ -201,6 +201,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html f2bcae9205fe5d8ff1884d39bc337231de2c918538ec69593a50946ea1a46b32 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html dbd48cd1fd9203d9c31663006f0198036afbca69e2bb667323bddcb065e00990 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html 09e8930be5cace288701ea5ef86b0aefc077852c73dba87d11dc5dcca4fad21c 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html e980ff98db6076a9a47472eda4320708a1923e8a4235f4c94072eb745a12852f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html 56f933dd855172f689ec4ebd63095e3682a783fe4dec19bc34ee7f27f1d8b595 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html bb899de8ae9929e7d77e795d56dbdad8818e52d153221b910e5ba99755876713 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html 813bf5f20a3466edad2524dd8c73afdb8916f00eddf5be79832d014553ea98a8 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html 8e26776dbffb510f583bcac9c60c5723f75607913e3d6ebc3f58bebe3694e629 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html bbdf7b20fd483e641e6519d913c630327acdf649776079e5fc0228b8fda1ba6b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html 124ad4fce24722b0ba3c507b983aa1d06e4063c188c6e1ecabbda46cc41db0ca 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html ae1997bc03523a247f029354324649603a67c26ae547fb5655c2c8982b923311 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html cd702f5b45ec286bbe20e1acda0e91a966d70ea590916c103929ce667e7dc5d8 2
@@ -208,5 +208,5 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html f1ef022d59286417503cec9c9c5a5192ed29cb9d882813be07be8be642d29d8d 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 58a0a75d57e96d449fe7a1ad78332a7da0274974a2702740d84df78011ae55e4 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html c9f6a8d3c2d6b0d8798b7f29d872ffe3d25c60123b4cbbce18872a0332363e9f 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 0c37a3a75c5a20bfac8dca35d8ddda21ff76fae478dd23888a084b5ae3f47744 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html fd5949561fe9618d70ae917b197f52c44dbd756fd3f202823697e2f59a70ea1a 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html 7a943aa6045be967f100d7d56d47663aed7b632ab566fd79929d05a2d6d57c6b 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html 3a873e3fadc03227e89d61c6d32bdfb58c1eef0c3aa5e244f1a6fe61ea3b1fdb 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html 044c315d40a27811d60198f47a43662ae3f160793c4fe1d56f84fa562781206f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html 7367ec957238fd6bedf83b2bb9d153a7e39f48ab1d618da5d2ab1bfa639e7e9f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html 9d406caac839d51db3a9415b66a1138728ffa590b41912231a76737f5ae83b7a 2
@@ -214,6 +214,6 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html 0da16daeeeafa8a87fc2f1a45c7b008899588be864838187287f4afa5d51ea55 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 9caac9cc430759d720ea6c7bfbe796b08f43e73a4bc6e8eb3bf1905572165001 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 88dc34344f42a6a280c75212fcb650a098864ed8a8b0e7b991cdda837ad7205a 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 6e1a1d3927e3775e1fbe79754dfecddd8517d23eeb99bb9b581ef987144e0dfe 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html 6abb2da08ef2a3471a4dc1d55d1e5d004738c547e97d67663e33ca27e83b1a7e 2
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html 9b0bcaadce6a8715f1553c26a4cc352632f4998c186caacf3583f6cc7eceb17f 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html d6732d8b36cdef10da48603783a0160f56a9c751beadd219bc23a3476d9b0c55 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html 68bb2d7a77c8a57c42e39a925484b63b2fd9b79933780fcbfe5c28c3cd42a8fe 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html 235b4e30e1aeaa91c2785532ce22a98c33a02824cfbc58e9522c115d94404389 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html 999c5cb885f4a1dbfa307f09d7b47df76cedb3799fd65a7f3c6f4445a9eb0355 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html b25e0b63c3f6b788d8c5fa10d3e772a9e7f89a6079504aed95f5126c69907bde 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html ad44efd205d5ea5f773e183b2de54775dff468c19b0949feb4268473a474eabd 2
@@ -221 +221 @@
-/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html bca5d200038f01d1e17e8d78d4f6ad99aba14ca346ff20976392cc61028ae475 2
+/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html b706a7aa7d36be6b30a7d7032f0eb043057d468aeff18d1ae8b2f2397c1c2a54 2
@@ -278,3 +278,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 37519812bf43de0396722e56e9a40bb6c55536a8ed2f0ff6243991b061556041 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml 4924e0799351b3fdc6303c69177f367c8dbab79a2f9f5e6ec7f06a5ba5a6a5e6 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 5f7bfdaa2d14628deccf1d980d94244f33e9353df6073dd850c4acb257474bc3 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml 72b8083914b6847503bc6d46ac8c189a35122a78e12abe5d691dc237d72468fc 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml b25d4fa083ad3803ed68400baf1dc7713a704399cf360e6bc380dde6b4620180 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml 8317809ab9908dc11ce1b5a8d15fb2d63e69f1a6f11d4b273383b2e6cb70d468 0
@@ -282 +282 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 7e18874e2b950efdeebe265dffc7492f96e6421289e4700b63535b5d6fb8e9fc 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml 78577f566c14b6f717b9a8a3da99e18409def9edd607a7a34717d331b101087c 0
@@ -285,3 +285,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml ca7605021a2ebdd57bd562abc68ad36e045e24a00f57ce5471e6c999b65544b6 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml 2e71b47b70e6d06637a665e9b9b41b5b31ef2b73cc3638995febf6d5eb043840 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml b32473da2246f3cae19af38275ea6e48b28cfa38c4d1f90173c0b456c85f1a55 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml 4bf7812c09fb99ab2833a97b12d45714f53bd12c2a08aa35b993a578db10736e 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml b777cc5253ae3c000f4ee5d2733a11817485e99c0925111ab4bf8157e2a3a675 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml 3318af7866b34759621e7382a93188099b86e7edb4778418467dde9c008c64ca 0
@@ -289 +289 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 98794917ddbcba046cd385a26050bd0e45aa2ab91917cb73284d1504afe52d8c 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml 1e39d38a493aa7a6ce3053e4846a05ac5b73fcf42fb36b76554fbf0902aa5dec 0
@@ -292,3 +292,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 9a0ba2becceb0345449064c9fd40a4f011ebf080cfe041ed36b366fef49c6b0e 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml c21db0fa3031c976b8518a40ff74def38a8990bc5d4c1873b2c0964ab56052f9 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml 319edf82d88dc9f969ed714f71ac127328122d80921db2d8c76f246661efe184 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml 1887219d1b806b6f8e894750a675bac4256d5689df90726a216c1011688238ae 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml 7495694bfa4a8e0ceb5b7fa7246b8782ee58fc07f8e2fd9b2c2490529ddedd00 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml bfc4287a68fa0dcf5840133a067b5910dad5e977eaf9ef5b61e8bc182fb4afd2 0
@@ -296 +296 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml 5dea700524cf9ce5e96e49b46a4652ce12809c73e485c5697c4c2dcd82038377 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml c22e2d5789d0370efb95aa310f9d6da744e3f0824812042471f324aeb604ca1e 0
@@ -299,3 +299,3 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 2cce43d0e98f2b6189e8650e9172da284f7d72f357689abfe4c7f3873492e917 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml aa4de65c1a7b975fcfbb3ca614887f38f412b125c4c9ef6f4f7d22c7ce293706 0
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml 9ad14a755b2b1de6274dfddf69e5207731645486c522d75f7b814df9f13dee4c 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml 6977122bfd8df7a29c069a780c21b5c3c277849f8809b36658363d829f87495b 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml 52a5a1b1c3b8471fd2afa1909aaf6320d2d8ff4da93af1f5d363d672e1968c15 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml e741ce8c8aec2a3b233c4c40529f050cfbd168a17e7241e78561e9baae500378 0
@@ -303 +303 @@
-/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml fe18c214feb16ab62d3377b9a9f5b585743c54f78f084f68dfe4917d716f2462 0
+/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml 6b55f341c6de31c11f054166e32fecf3d71e3c555d3895281b0ac164d407f1f4 0
comparing rpmtags
comparing RELEASE
comparing PROVIDES
comparing scripts
comparing filelist
comparing file checksum
creating rename script
RPM file checksum differs.
Extracting packages
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 16.04
                           <small>Group contains 19 groups and 40 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -2707,7 +2707,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2721,10 +2725,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 16.04
                           <small>Group contains 22 groups and 46 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -362,7 +362,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -383,10 +387,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -420,7 +420,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -486,9 +489,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -2759,7 +2759,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2772,10 +2776,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -3017,7 +3017,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -3031,10 +3035,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -3067,7 +3067,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3111,9 +3114,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
@@ -3147,7 +3147,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><pre><code>
+[customizations.services]
+enabled = ["systemd-timesyncd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3192,9 +3195,6 @@
   - low_disruption
   - no_reboot_needed
   - service_timesyncd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
-[customizations.services]
-enabled = ["systemd-timesyncd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-timesyncd
 
 class enable_systemd-timesyncd {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 16.04
                           <small>Group contains 9 groups and 19 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 16.04
                           <small>Group contains 21 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -362,7 +362,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -383,10 +387,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -420,7 +420,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id24" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id24"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -486,9 +489,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -2716,7 +2716,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2729,10 +2733,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2974,7 +2974,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id116" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id116"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2988,10 +2992,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -3024,7 +3024,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3068,9 +3071,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
@@ -3104,7 +3104,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
+[customizations.services]
+enabled = ["systemd-timesyncd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3149,9 +3152,6 @@
   - low_disruption
   - no_reboot_needed
   - service_timesyncd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
-[customizations.services]
-enabled = ["systemd-timesyncd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-timesyncd
 
 class enable_systemd-timesyncd {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1604-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 16.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 16.04
                           <small>Group contains 19 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -238,7 +238,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -259,10 +263,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -296,7 +296,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -362,9 +365,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1493,7 +1493,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1506,10 +1510,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1535,7 +1535,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1560,9 +1563,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2674,7 +2674,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2687,10 +2691,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2718,7 +2718,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -2743,9 +2746,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -2988,7 +2988,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -3002,10 +3006,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -3038,7 +3038,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3082,9 +3085,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
@@ -3118,7 +3118,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id134" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id134"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_average.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Average (Intermediate) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_average</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 18.04
                           <small>Group contains 19 groups and 40 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -2707,7 +2707,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2721,10 +2725,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_high.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 High (Enforced) Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_high</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 18.04
                           <small>Group contains 22 groups and 46 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -362,7 +362,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -383,10 +387,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -420,7 +420,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -486,9 +489,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -2759,7 +2759,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2772,10 +2776,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -3017,7 +3017,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id120" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id120"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -3031,10 +3035,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id121" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id121"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -3067,7 +3067,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3111,9 +3114,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
@@ -3147,7 +3147,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[customizations.services]
+enabled = ["systemd-timesyncd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3192,9 +3195,6 @@
   - low_disruption
   - no_reboot_needed
   - service_timesyncd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[customizations.services]
-enabled = ["systemd-timesyncd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-timesyncd
 
 class enable_systemd-timesyncd {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_minimal.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Minimal Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_minimal</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 18.04
                           <small>Group contains 9 groups and 19 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-anssi_np_nt28_restrictive.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Profile for ANSSI DAT-NT28 Restrictive Level</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_anssi_np_nt28_restrictive</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 18.04
                           <small>Group contains 21 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -362,7 +362,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -383,10 +387,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -420,7 +420,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id25" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id25"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -486,9 +489,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id26" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id26"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id27" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id27"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -2716,7 +2716,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2729,10 +2733,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id93" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id93"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2974,7 +2974,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id117" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id117"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -2988,10 +2992,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id118" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id118"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id119" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id119"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -3024,7 +3024,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id122" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id122"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3068,9 +3071,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id123" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id123"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id124" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id124"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
@@ -3104,7 +3104,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><pre><code>
+[customizations.services]
+enabled = ["systemd-timesyncd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3149,9 +3152,6 @@
   - low_disruption
   - no_reboot_needed
   - service_timesyncd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id128" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id128"><pre><code>
-[customizations.services]
-enabled = ["systemd-timesyncd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id129" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id129"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-timesyncd
 
 class enable_systemd-timesyncd {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-cis.html	2023-07-27 00:00:00.000000000 +0000
@@ -67,7 +67,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 18.04 LTS Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 18.04
                           <small>Group contains 21 groups and 71 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -3462,7 +3462,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3528,9 +3531,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu1804-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 18.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:18.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 18.04
                           <small>Group contains 19 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -236,7 +236,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -257,10 +261,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -294,7 +294,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -360,9 +363,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1491,7 +1491,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1504,10 +1508,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1533,7 +1533,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1558,9 +1561,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2672,7 +2672,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2685,10 +2689,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2716,7 +2716,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -2741,9 +2744,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -2986,7 +2986,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id125" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id125"><pre><code>
+[[packages]]
+name = "ntp"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure ntp is installed
   package:
     name: ntp
     state: present
@@ -3000,10 +3004,6 @@
   - low_disruption
   - no_reboot_needed
   - package_ntp_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id126" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id126"><pre><code>
-[[packages]]
-name = "ntp"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id127" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id127"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_ntp
 
 class install_ntp {
@@ -3036,7 +3036,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id130" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id130"><pre><code>
+[customizations.services]
+enabled = ["ntp"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -3080,9 +3083,6 @@
   - low_disruption
   - no_reboot_needed
   - service_ntp_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id131" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id131"><pre><code>
-[customizations.services]
-enabled = ["ntp"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id132" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id132"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_ntp
 
 class enable_ntp {
@@ -3116,7 +3116,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id135" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id135"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_server.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 1 Server Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level1_server</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 20.04
                           <small>Group contains 93 groups and 260 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -135,10 +139,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -594,7 +594,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -608,10 +612,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id31" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id31"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -2655,7 +2655,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><pre><code>
+[[packages]]
+name = "libpam-pwquality"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2680,10 +2684,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_pwquality_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>
-[[packages]]
-name = "libpam-pwquality"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libpam-pwquality
 
 class install_libpam-pwquality {
@@ -4056,7 +4056,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id175" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id175"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -4069,10 +4073,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id176" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id176"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id177" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id177"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -4752,7 +4752,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id203" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id203"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id203" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id203"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id204" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id204"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -4765,10 +4769,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id204" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id204"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id205" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id205"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -4794,7 +4794,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id209" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id209"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -4820,9 +4823,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id209" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id209"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id210" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id210"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -5270,7 +5270,11 @@
 necessary to configure a Host Based Firewall.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_iptables-persistent_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/benchmark/ubuntu_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 DEBIAN_FRONTEND=noninteractive apt-get install -y "iptables-persistent"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables-persistent is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><pre><code>
+[[packages]]
+name = "iptables-persistent"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id227" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id227"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables-persistent is installed
   package:
     name: iptables-persistent
     state: present
@@ -5281,10 +5285,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables-persistent_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id227" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id227"><pre><code>
-[[packages]]
-name = "iptables-persistent"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables-persistent
 
 class install_iptables-persistent {
@@ -5301,7 +5301,11 @@
 masquerading, etc.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_iptables_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/ubuntu_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 DEBIAN_FRONTEND=noninteractive apt-get install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -5315,10 +5319,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id232" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id232"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level1_workstation.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 1 Workstation Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level1_workstation</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 20.04
                           <small>Group contains 91 groups and 259 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -135,10 +139,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -638,7 +638,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id28" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id28"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -652,10 +656,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id29" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id29"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id30" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id30"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -2895,7 +2895,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
+[[packages]]
+name = "libpam-pwquality"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2920,10 +2924,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_pwquality_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><pre><code>
-[[packages]]
-name = "libpam-pwquality"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libpam-pwquality
 
 class install_libpam-pwquality {
@@ -4296,7 +4296,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id178" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id178"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -4309,10 +4313,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id179" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id179"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id180" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id180"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -4992,7 +4992,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id206" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id206"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id206" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id206"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id207" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id207"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -5005,10 +5009,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id207" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id207"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -5034,7 +5034,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -5060,9 +5063,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -5510,7 +5510,11 @@
 necessary to configure a Host Based Firewall.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_iptables-persistent_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="https://www.cisecurity.org/benchmark/ubuntu_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 DEBIAN_FRONTEND=noninteractive apt-get install -y "iptables-persistent"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables-persistent is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
+[[packages]]
+name = "iptables-persistent"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables-persistent is installed
   package:
     name: iptables-persistent
     state: present
@@ -5521,10 +5525,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables-persistent_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><pre><code>
-[[packages]]
-name = "iptables-persistent"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables-persistent
 
 class install_iptables-persistent {
@@ -5541,7 +5541,11 @@
 masquerading, etc.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_iptables_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/ubuntu_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 DEBIAN_FRONTEND=noninteractive apt-get install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -5555,10 +5559,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id236" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id236"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_server.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 2 Server Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level2_server</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 20.04
                           <small>Group contains 104 groups and 345 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -135,10 +139,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -639,7 +639,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -653,10 +657,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -2700,7 +2700,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><pre><code>
+[[packages]]
+name = "libpam-pwquality"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2725,10 +2729,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_pwquality_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
-[[packages]]
-name = "libpam-pwquality"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libpam-pwquality
 
 class install_libpam-pwquality {
@@ -45568,7 +45568,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id374" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id374"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id374" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id374"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id375" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id375"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -45590,10 +45594,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id375" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id375"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id376" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id376"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -45627,7 +45627,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id379" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id379"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id379" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id379"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id380" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id380"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -45693,9 +45696,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id380" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id380"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id381" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id381"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -45795,7 +45795,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id390" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id390"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id390" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id390"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -45808,10 +45812,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id391" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id391"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id392" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id392"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -46534,7 +46534,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id420" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id420"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id420" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id420"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id421" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id421"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -46547,10 +46551,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id421" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id421"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id422" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id422"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -46576,7 +46576,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id425" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id425"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id425" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id425"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id426" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id426"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -46602,9 +46605,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id426" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id426"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id427" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id427"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -47052,7 +47052,11 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-cis_level2_workstation.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 20.04 Level 2 Workstation Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level2_workstation</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 20.04
                           <small>Group contains 104 groups and 347 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -135,10 +139,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -683,7 +683,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id33" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id33"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -697,10 +701,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id34" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id34"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -2940,7 +2940,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>
+[[packages]]
+name = "libpam-pwquality"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2965,10 +2969,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_pwquality_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><pre><code>
-[[packages]]
-name = "libpam-pwquality"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libpam-pwquality
 
 class install_libpam-pwquality {
@@ -45808,7 +45808,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id377" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id377"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id377" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id377"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id378" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id378"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -45830,10 +45834,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id378" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id378"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id379" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id379"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -45867,7 +45867,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id382" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id382"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id383" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id383"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -45933,9 +45936,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id383" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id383"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id384" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id384"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -46035,7 +46035,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id393" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id393"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id394" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id394"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -46048,10 +46052,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id394" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id394"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id395" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id395"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -46774,7 +46774,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id423" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id423"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id423" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id423"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id424"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -46787,10 +46791,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id424" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id424"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id425" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id425"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -46816,7 +46816,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id428" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id428"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id428" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id428"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id429" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id429"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -46842,9 +46845,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id429" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id429"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id430" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id430"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -47292,7 +47292,11 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 20.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 20.04
                           <small>Group contains 22 groups and 45 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -265,7 +265,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -287,10 +291,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id16" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id16"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id17" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id17"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -324,7 +324,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -390,9 +393,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id21" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id21"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id22" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id22"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1521,7 +1521,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1534,10 +1538,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id39" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id39"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1563,7 +1563,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1589,9 +1592,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id43" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id43"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id44" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id44"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2716,7 +2716,24 @@
 # so let's reset the state so OVAL checks pass.
 # Service should be 'inactive', not 'failed' after reboot though.
 "$SYSTEMCTL_EXEC" reset-failed 'apport.service' || true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service apport
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: apport.service
+        enabled: false
+        mask: true
+      - name: apport.socket
+        enabled: false
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><pre><code>
+[customizations.services]
+disabled = ["apport"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service apport
   block:
 
   - name: Disable service apport
@@ -2769,23 +2786,6 @@
   - no_reboot_needed
   - service_apport_disabled
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: apport.service
-        enabled: false
-        mask: true
-      - name: apport.socket
-        enabled: false
-        mask: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id98" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id98"><pre><code>
-[customizations.services]
-disabled = ["apport"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id99" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id99"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_apport
 
 class disable_apport {
@@ -2812,7 +2812,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2825,10 +2829,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id103" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id103"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id104" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id104"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2856,7 +2856,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -2881,9 +2884,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id108" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id108"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id109" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id109"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -3128,7 +3128,11 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2004-guide-stig.html	2023-07-27 00:00:00.000000000 +0000
@@ -68,7 +68,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) V1R1</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_stig</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:20.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apt">APT service configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_base">Base Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_sssd">System Security Services Daemon</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 20.04
                           <small>Group contains 75 groups and 191 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -120,7 +120,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -137,10 +141,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id11" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id11"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -2702,7 +2702,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id73" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id73"><pre><code>
+[[packages]]
+name = "libpam-pwquality"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -2727,10 +2731,6 @@
   - medium_severity
   - no_reboot_needed
   - package_pam_pwquality_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id74" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id74"><pre><code>
-[[packages]]
-name = "libpam-pwquality"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id75" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id75"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libpam-pwquality
 
 class install_libpam-pwquality {
@@ -2909,7 +2909,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure vlock is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id80" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id80"><pre><code>
+[[packages]]
+name = "vlock"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure vlock is installed
   package:
     name: vlock
     state: present
@@ -2922,10 +2926,6 @@
   - medium_severity
   - no_reboot_needed
   - vlock_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id81" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id81"><pre><code>
-[[packages]]
-name = "vlock"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id82" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id82"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_vlock
 
 class install_vlock {
@@ -2964,7 +2964,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc-pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id85" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id85"><pre><code>
+[[packages]]
+name = "opensc-pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure opensc-pkcs11 is installed
   package:
     name: opensc-pkcs11
     state: present
@@ -2978,10 +2982,6 @@
   - medium_severity
   - no_reboot_needed
   - package_opensc_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id86" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id86"><pre><code>
-[[packages]]
-name = "opensc-pkcs11"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id87" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id87"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_opensc-pkcs11
 
 class install_opensc-pkcs11 {
@@ -3020,7 +3020,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libpam-pkcs11 is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id90" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id90"><pre><code>
+[[packages]]
+name = "libpam-pkcs11"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure libpam-pkcs11 is installed
   package:
     name: libpam-pkcs11
     state: present
@@ -3038,10 +3042,6 @@
   - low_disruption
   - medium_severity
   - no_reboot_needed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id91" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id91"><pre><code>
-[[packages]]
-name = "libpam-pkcs11"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id92" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id92"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_libpam-pkcs11
 
 class install_libpam-pkcs11 {
@@ -44342,7 +44342,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audispd-plugins is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id335" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id335"><pre><code>
+[[packages]]
+name = "audispd-plugins"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure audispd-plugins is installed
   package:
     name: audispd-plugins
     state: present
@@ -44357,10 +44361,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit-audispd-plugins_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id336" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id336"><pre><code>
-[[packages]]
-name = "audispd-plugins"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id337" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id337"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_audispd-plugins
 
 class install_audispd-plugins {
@@ -44379,7 +44379,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id340" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id340"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -44401,10 +44405,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id341" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id341"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id342" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id342"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -44438,7 +44438,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id345" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id345"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id345" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id345"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id346" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id346"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -44504,9 +44507,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id346" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id346"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id347" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id347"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_server.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 22.04 Level 1 Server Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level1_server</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 22.04
                           <small>Group contains 102 groups and 290 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -134,10 +138,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -1126,7 +1126,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1140,10 +1144,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -5248,7 +5248,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id211" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id211"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -5260,10 +5264,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id212" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id212"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id213" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id213"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -5637,7 +5637,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id228" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id228"><pre><code>
+[[packages]]
+name = "systemd-journal-remote"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
   package:
     name: systemd-journal-remote
     state: present
@@ -5649,10 +5653,6 @@
   - medium_severity
   - no_reboot_needed
   - package_systemd-journal-remote_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
-[[packages]]
-name = "systemd-journal-remote"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_systemd-journal-remote
 
 class install_systemd-journal-remote {
@@ -5678,7 +5678,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id233" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id233"><pre><code>
+[customizations.services]
+enabled = ["systemd-journald"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
   block:
 
   - name: Gather the package facts
@@ -5702,9 +5705,6 @@
   - medium_severity
   - no_reboot_needed
   - service_systemd-journald_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id234" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id234"><pre><code>
-[customizations.services]
-enabled = ["systemd-journald"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id235" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id235"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-journald
 
 class enable_systemd-journald {
@@ -6286,7 +6286,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id252" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id252"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id252" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id252"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id253" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id253"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -6299,10 +6303,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id253" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id253"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id254" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id254"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -6328,7 +6328,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id257" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id257"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id257" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id257"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id258" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id258"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -6353,9 +6356,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id258" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id258"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id259" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id259"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -6818,7 +6818,11 @@
 masquerading, etc.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_iptables_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/ubuntu_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id276" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id276"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 DEBIAN_FRONTEND=noninteractive apt-get install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id277" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id277"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -6832,10 +6836,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id278" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id278"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id279" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id279"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -10125,7 +10125,11 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level1_workstation.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 22.04 Level 1 Workstation Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level1_workstation</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 22.04
                           <small>Group contains 98 groups and 284 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -134,10 +138,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -967,7 +967,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -981,10 +985,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id38" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id38"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -5089,7 +5089,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id207" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id207"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id207" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id207"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -5101,10 +5105,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id208" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id208"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id209" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id209"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -5478,7 +5478,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id224" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id224"><pre><code>
+[[packages]]
+name = "systemd-journal-remote"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
   package:
     name: systemd-journal-remote
     state: present
@@ -5490,10 +5494,6 @@
   - medium_severity
   - no_reboot_needed
   - package_systemd-journal-remote_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id225" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id225"><pre><code>
-[[packages]]
-name = "systemd-journal-remote"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id226" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id226"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_systemd-journal-remote
 
 class install_systemd-journal-remote {
@@ -5519,7 +5519,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id229" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id229"><pre><code>
+[customizations.services]
+enabled = ["systemd-journald"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
   block:
 
   - name: Gather the package facts
@@ -5543,9 +5546,6 @@
   - medium_severity
   - no_reboot_needed
   - service_systemd-journald_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id230" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id230"><pre><code>
-[customizations.services]
-enabled = ["systemd-journald"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id231" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id231"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-journald
 
 class enable_systemd-journald {
@@ -6127,7 +6127,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id248"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id248" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id248"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id249" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id249"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -6140,10 +6144,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id249" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id249"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id250" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id250"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -6169,7 +6169,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id253" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id253"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id253" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id253"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id254" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id254"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -6194,9 +6197,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id254" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id254"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id255" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id255"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -6659,7 +6659,11 @@
 masquerading, etc.</div></td></tr><tr><td><span class="label label-warning">Severity:</span> </td><td><div class="severity">medium</div></td></tr><tr><td><span class="label label-primary">Rule ID:</span></td><td>xccdf_org.ssgproject.content_rule_package_iptables_installed</td></tr><tr><td>Identifiers and References</td><td class="identifiers"><p><span class="label label-default" title="Provide a reference to a document or resource where the user can learn more about the subject of the Rule or Group.">References:</span> 
             <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</a>, <a href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.4.1</a>, <a href="https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf">1.4.2</a>, <a href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</a>, <a href="https://www.cisecurity.org/benchmark/ubuntu_linux/">3.5.3.1.1</a></p></td></tr><tr><td colspan="2"><div class="remediation-description"><a class="btn btn-success" data-toggle="collapse" data-target="#id272" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Shell script ⇲</a><br><div class="panel-collapse collapse" id="id272"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>
 DEBIAN_FRONTEND=noninteractive apt-get install -y "iptables"
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id273" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id273"><pre><code>
+[[packages]]
+name = "iptables"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure iptables is installed
   package:
     name: iptables
     state: present
@@ -6673,10 +6677,6 @@
   - medium_severity
   - no_reboot_needed
   - package_iptables_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id274" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id274"><pre><code>
-[[packages]]
-name = "iptables"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id275" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id275"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_iptables
 
 class install_iptables {
@@ -9966,7 +9966,11 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_server.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 22.04 Level 2 Server Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level2_server</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_xwindows">X Window System</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 22.04
                           <small>Group contains 113 groups and 386 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -134,10 +138,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -1233,7 +1233,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id49" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id49"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1247,10 +1251,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id50" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id50"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id51" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id51"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -46228,7 +46228,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id437" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id437"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id437" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id437"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id438" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id438"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -46249,10 +46253,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id438" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id438"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id439" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id439"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -46286,7 +46286,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id442" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id442"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id442" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id442"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id443" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id443"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46352,9 +46355,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id443" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id443"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id444" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id444"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -46454,7 +46454,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id453" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id453"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id453" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id453"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id454" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id454"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -46466,10 +46470,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id454" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id454"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id455" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id455"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -46886,7 +46886,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id472"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id472" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id472"><pre><code>
+[[packages]]
+name = "systemd-journal-remote"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id473" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id473"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
   package:
     name: systemd-journal-remote
     state: present
@@ -46898,10 +46902,6 @@
   - medium_severity
   - no_reboot_needed
   - package_systemd-journal-remote_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id473" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id473"><pre><code>
-[[packages]]
-name = "systemd-journal-remote"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id474" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id474"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_systemd-journal-remote
 
 class install_systemd-journal-remote {
@@ -46927,7 +46927,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id477" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id477"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id477" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id477"><pre><code>
+[customizations.services]
+enabled = ["systemd-journald"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id478" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id478"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
   block:
 
   - name: Gather the package facts
@@ -46951,9 +46954,6 @@
   - medium_severity
   - no_reboot_needed
   - service_systemd-journald_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id478" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id478"><pre><code>
-[customizations.services]
-enabled = ["systemd-journald"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id479" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id479"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-journald
 
 class enable_systemd-journald {
@@ -47535,7 +47535,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id496"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id496" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id496"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id497" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id497"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -47548,10 +47552,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id497" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id497"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id498" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id498"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -47577,7 +47577,10 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-cis_level2_workstation.html	2023-07-27 00:00:00.000000000 +0000
@@ -66,7 +66,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>CIS Ubuntu 22.04 Level 2 Workstation Benchmark</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_cis_level2_workstation</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_accounts">Account and Access Control</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_apparmor">AppArmor</a></li><li><a href="#xccdf_org.ssgproject.content_group_bootloader-grub2">GRUB2 bootloader configuration</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_network">Network Configuration and Firewalls</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_avahi">Avahi Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_dhcp">DHCP</a></li><li><a href="#xccdf_org.ssgproject.content_group_dns">DNS Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ftp">FTP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_http">Web Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_imap">IMAP and POP3 Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ldap">LDAP</a></li><li><a href="#xccdf_org.ssgproject.content_group_mail">Mail Server Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_nfs_and_rpc">NFS and RPC</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_obsolete">Obsolete Services</a></li><li><a href="#xccdf_org.ssgproject.content_group_printing">Print Support</a></li><li><a href="#xccdf_org.ssgproject.content_group_proxy">Proxy Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_smb">Samba(SMB) Microsoft Windows File Sharing Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_snmp">SNMP Server</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 22.04
                           <small>Group contains 111 groups and 384 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -118,7 +118,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id8" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id8"><pre><code>
+[[packages]]
+name = "aide"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure aide is installed
   package:
     name: aide
     state: present
@@ -134,10 +138,6 @@
   - medium_severity
   - no_reboot_needed
   - package_aide_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id9" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id9"><pre><code>
-[[packages]]
-name = "aide"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id10" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id10"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_aide
 
 class install_aide {
@@ -1171,7 +1171,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id45" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id45"><pre><code>
+[[packages]]
+name = "sudo"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure sudo is installed
   package:
     name: sudo
     state: present
@@ -1185,10 +1189,6 @@
   - medium_severity
   - no_reboot_needed
   - package_sudo_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id46" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id46"><pre><code>
-[[packages]]
-name = "sudo"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id47" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id47"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_sudo
 
 class install_sudo {
@@ -46166,7 +46166,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id433" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id433"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id433" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id433"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id434" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id434"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -46187,10 +46191,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id434" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id434"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id435" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id435"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -46224,7 +46224,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id438" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id438"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id438" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id438"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id439" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id439"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -46290,9 +46293,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id439" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id439"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id440" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id440"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -46392,7 +46392,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id449" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id449"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id449" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id449"><pre><code>
+[[packages]]
+name = "apparmor"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id450" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id450"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure apparmor is installed
   package:
     name: apparmor
     state: present
@@ -46404,10 +46408,6 @@
   - medium_severity
   - no_reboot_needed
   - package_apparmor_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id450" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id450"><pre><code>
-[[packages]]
-name = "apparmor"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id451" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id451"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_apparmor
 
 class install_apparmor {
@@ -46824,7 +46824,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id468" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id468"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id468" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id468"><pre><code>
+[[packages]]
+name = "systemd-journal-remote"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id469" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id469"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure systemd-journal-remote is installed
   package:
     name: systemd-journal-remote
     state: present
@@ -46836,10 +46840,6 @@
   - medium_severity
   - no_reboot_needed
   - package_systemd-journal-remote_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id469" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id469"><pre><code>
-[[packages]]
-name = "systemd-journal-remote"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id470" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id470"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_systemd-journal-remote
 
 class install_systemd-journal-remote {
@@ -46865,7 +46865,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id473" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id473"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id473" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id473"><pre><code>
+[customizations.services]
+enabled = ["systemd-journald"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id474" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id474"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service systemd-journald
   block:
 
   - name: Gather the package facts
@@ -46889,9 +46892,6 @@
   - medium_severity
   - no_reboot_needed
   - service_systemd-journald_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id474" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id474"><pre><code>
-[customizations.services]
-enabled = ["systemd-journald"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id475" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id475"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_systemd-journald
 
 class enable_systemd-journald {
@@ -47473,7 +47473,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id492" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id492"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id492" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id492"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id493" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id493"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -47486,10 +47490,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id493" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id493"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id494" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id494"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -47515,7 +47515,10 @@
/usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html differs (HTML document, UTF-8 Unicode text, with very long lines)
--- old//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/doc/scap-security-guide/guides/ssg-ubuntu2204-guide-standard.html	2023-07-27 00:00:00.000000000 +0000
@@ -65,7 +65,7 @@
 other parties, and makes no guarantees, expressed or implied, about its
 quality, reliability, or any other characteristic.
 </div></div></div></div></div><div id="profileinfo"><h2>Profile Information</h2><div class="row"><div class="col-md-5 well well-lg horizontal-scroll"><table class="table table-bordered"><tr><th>Profile Title</th><td>Standard System Security Profile for Ubuntu 22.04</td></tr><tr><th>Profile ID</th><td>xccdf_org.ssgproject.content_profile_standard</td></tr></table></div><div class="col-md-3"><h4>CPE Platforms</h4><ul class="list-group"><li class="list-group-item"><span class="label label-default" title="CPE platform cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~ is applicable to this Benchmark">cpe:/o:canonical:ubuntu_linux:22.04::~~lts~~~</span></li></ul></div></div></div><div id="revisionhistory"><h2>Revision History</h2><p>Current version: <strong>0.1.68</strong></p><ul><li><strong>draft</strong>
-                    (as of 2023-07-27)
+                    (as of 2039-08-29)
                 </li></ul></div><h2>Table of Contents</h2><ol><li><a href="#xccdf_org.ssgproject.content_group_system">System Settings</a><ol><li><a href="#xccdf_org.ssgproject.content_group_software">Installing and Maintaining Software</a></li><li><a href="#xccdf_org.ssgproject.content_group_auditing">System Accounting with auditd</a></li><li><a href="#xccdf_org.ssgproject.content_group_logging">Configure Syslog</a></li><li><a href="#xccdf_org.ssgproject.content_group_permissions">File Permissions and Masks</a></li></ol></li><li><a href="#xccdf_org.ssgproject.content_group_services">Services</a><ol><li><a href="#xccdf_org.ssgproject.content_group_apport">Apport Service</a></li><li><a href="#xccdf_org.ssgproject.content_group_cron_and_at">Cron and At Daemons</a></li><li><a href="#xccdf_org.ssgproject.content_group_deprecated">Deprecated services</a></li><li><a href="#xccdf_org.ssgproject.content_group_ntp">Network Time Protocol</a></li><li><a href="#xccdf_org.ssgproject.content_group_ssh">SSH Server</a></li></ol></li></ol><div id="guide-tree"><h2>Checklist</h2><table class="treetable table table-bordered"><tbody><tr data-tt-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 0px" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><span class="label label-default">Group</span>  
                 Guide to the Secure Configuration of Ubuntu 22.04
                           <small>Group contains 20 groups and 44 rules</small></td></tr><tr data-tt-id="children-xccdf_org.ssgproject.content_group_system" data-tt-parent-id="children-xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04"><td style="padding-left: 19px" id="xccdf_org.ssgproject.content_group_system"><span class="label label-default">Group</span>  
@@ -236,7 +236,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id13" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id13"><pre><code>
+[[packages]]
+name = "auditd"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure auditd is installed
   package:
     name: auditd
     state: present
@@ -257,10 +261,6 @@
   - medium_severity
   - no_reboot_needed
   - package_audit_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id14" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id14"><pre><code>
-[[packages]]
-name = "auditd"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id15" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id15"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_auditd
 
 class install_auditd {
@@ -294,7 +294,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id18" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id18"><pre><code>
+[customizations.services]
+enabled = ["auditd"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Gather the package facts
   package_facts:
     manager: auto
   tags:
@@ -360,9 +363,6 @@
   - medium_severity
   - no_reboot_needed
   - service_auditd_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id19" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id19"><pre><code>
-[customizations.services]
-enabled = ["auditd"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id20" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id20"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_auditd
 
 class enable_auditd {
@@ -1491,7 +1491,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id35" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id35"><pre><code>
+[[packages]]
+name = "rsyslog"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure rsyslog is installed
   package:
     name: rsyslog
     state: present
@@ -1504,10 +1508,6 @@
   - medium_severity
   - no_reboot_needed
   - package_rsyslog_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id36" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id36"><pre><code>
-[[packages]]
-name = "rsyslog"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id37" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id37"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_rsyslog
 
 class install_rsyslog {
@@ -1533,7 +1533,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id40" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id40"><pre><code>
+[customizations.services]
+enabled = ["rsyslog"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service rsyslog
   block:
 
   - name: Gather the package facts
@@ -1558,9 +1561,6 @@
   - medium_severity
   - no_reboot_needed
   - service_rsyslog_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id41" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id41"><pre><code>
-[customizations.services]
-enabled = ["rsyslog"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id42" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id42"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_rsyslog
 
 class enable_rsyslog {
@@ -2683,7 +2683,24 @@
 # so let's reset the state so OVAL checks pass.
 # Service should be 'inactive', not 'failed' after reboot though.
 "$SYSTEMCTL_EXEC" reset-failed 'apport.service' || true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service apport
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id94" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id94"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    systemd:
+      units:
+      - name: apport.service
+        enabled: false
+        mask: true
+      - name: apport.socket
+        enabled: false
+        mask: true
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><pre><code>
+[customizations.services]
+disabled = ["apport"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>- name: Block Disable service apport
   block:
 
   - name: Disable service apport
@@ -2736,23 +2753,6 @@
   - no_reboot_needed
   - service_apport_disabled
   - unknown_severity
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id95" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Kubernetes snippet ⇲</a><br><div class="panel-collapse collapse" id="id95"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>medium</td></tr><tr><th>Reboot:</th><td>true</td></tr><tr><th>Strategy:</th><td>disable</td></tr></table><pre><code>apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: apport.service
-        enabled: false
-        mask: true
-      - name: apport.socket
-        enabled: false
-        mask: true
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id96" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id96"><pre><code>
-[customizations.services]
-disabled = ["apport"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id97" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id97"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include disable_apport
 
 class disable_apport {
@@ -2779,7 +2779,11 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id100" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id100"><pre><code>
+[[packages]]
+name = "cron"
+version = "*"
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Ensure cron is installed
   package:
     name: cron
     state: present
@@ -2792,10 +2796,6 @@
   - medium_severity
   - no_reboot_needed
   - package_cron_installed
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id101" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id101"><pre><code>
-[[packages]]
-name = "cron"
-version = "*"
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id102" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id102"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include install_cron
 
 class install_cron {
@@ -2823,7 +2823,10 @@
 else
     &gt;&amp;2 echo 'Remediation is not applicable, nothing was done'
 fi
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id105" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id105"><pre><code>
+[customizations.services]
+enabled = ["cron"]
+</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Ansible snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>- name: Enable service cron
   block:
 
   - name: Gather the package facts
@@ -2848,9 +2851,6 @@
   - medium_severity
   - no_reboot_needed
   - service_cron_enabled
-</code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id106" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation OSBuild Blueprint snippet ⇲</a><br><div class="panel-collapse collapse" id="id106"><pre><code>
-[customizations.services]
-enabled = ["cron"]
 </code></pre></div><a class="btn btn-success" data-toggle="collapse" data-target="#id107" tabindex="0" role="button" aria-expanded="false" title="Activate to reveal" href="#!">Remediation Puppet snippet ⇲</a><br><div class="panel-collapse collapse" id="id107"><table class="table table-striped table-bordered table-condensed"><tr><th>Complexity:</th><td>low</td></tr><tr><th>Disruption:</th><td>low</td></tr><tr><th>Strategy:</th><td>enable</td></tr></table><pre><code>include enable_cron
 
 class enable_cron {
@@ -3094,7 +3094,11 @@
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu1604-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 16.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 16.04. It is a rendering of
@@ -76,10 +76,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -90,44 +104,41 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -135,19 +146,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -155,24 +161,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -180,25 +191,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -3672,6 +3672,11 @@
               <xccdf-1.2:fix system="urn:xccdf:fix:script:sh" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
 DEBIAN_FRONTEND=noninteractive apt-get install -y "gnutls-utils"
 </xccdf-1.2:fix>
+              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
+[[packages]]
+name = "gnutls-utils"
+version = "*"
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -35,7 +35,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu1604-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 16.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 16.04. It is a rendering of
@@ -78,10 +78,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -92,44 +106,41 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -137,19 +148,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -157,24 +163,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -182,25 +193,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
+        <cpe-lang:platform id="s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
       </cpe-lang:platform-specification>
@@ -3674,6 +3674,11 @@
               <xccdf-1.2:fix system="urn:xccdf:fix:script:sh" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
 DEBIAN_FRONTEND=noninteractive apt-get install -y "gnutls-utils"
 </xccdf-1.2:fix>
+              <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
+[[packages]]
+name = "gnutls-utils"
+version = "*"
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,682 +7,682 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog is Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1">
-      <ocil:title>Enable Public Key Authentication</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+      <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1">
-      <ocil:title>Configure ARP filtering for All IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1">
+      <ocil:title>Configure Backups of User Data</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_user_data_backups_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify ufw Enabled</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_ufw_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1">
-      <ocil:title>Enable use of Berkeley Packet Filter with seccomp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
+      <ocil:title>Disable Kerberos Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1">
-      <ocil:title>Configure auditd admin_space_left Action on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+      <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1">
-      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - unlinkat</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
+      <ocil:title>Set SSH Client Alive Interval</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1">
+      <ocil:title>Direct root Logins Not Allowed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_direct_root_logins_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1">
-      <ocil:title>Randomize the kernel memory sections</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1">
+      <ocil:title>Configure Polyinstantiation of /tmp Directories</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_memory_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable IPv6 Networking Support Automatic Loading</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1">
+      <ocil:title>Ensure the Default Umask is Set Correctly in login.defs</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-XENIAL" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 16.04</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 16.04. It is a rendering of
@@ -43,10 +43,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_postfix">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -57,44 +71,41 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -102,19 +113,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -122,24 +128,29 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="aarch64_arch">
+    <cpe-lang:platform id="machine">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="s390x_arch">
+    <cpe-lang:platform id="uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_audit">
@@ -147,25 +158,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="uefi">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+    <cpe-lang:platform id="package_shadow-utils">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_package_ufw">
+    <cpe-lang:platform id="s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1604-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
   </cpe-lang:platform-specification>
@@ -3639,6 +3639,11 @@
           <xccdf-1.2:fix system="urn:xccdf:fix:script:sh" id="package_gnutls-utils_installed" complexity="low" disruption="low" reboot="false" strategy="enable">
 DEBIAN_FRONTEND=noninteractive apt-get install -y "gnutls-utils"
 </xccdf-1.2:fix>
+          <xccdf-1.2:fix system="urn:redhat:osbuild:blueprint" id="package_gnutls-utils_installed">
+[[packages]]
+name = "gnutls-utils"
+version = "*"
+</xccdf-1.2:fix>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu1804-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 18.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 18.04. It is a rendering of
@@ -76,10 +76,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -90,56 +104,53 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -147,19 +158,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -167,24 +173,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -192,25 +203,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu1804-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 18.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 18.04. It is a rendering of
@@ -76,10 +76,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -90,56 +104,53 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -147,19 +158,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -167,24 +173,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            </cpe-lang:logical-test>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
+        <cpe-lang:platform id="machine">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
+        <cpe-lang:platform id="uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_audit">
@@ -192,25 +203,14 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+        <cpe-lang:platform id="package_shadow-utils">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_package_ufw">
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,448 +7,442 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
-      <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
-      </ocil:actions>
-    </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog is Installed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1">
-      <ocil:title>Enable Public Key Authentication</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
+      <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1">
-      <ocil:title>Configure ARP filtering for All IPv4 Interfaces</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1">
+      <ocil:title>Configure Backups of User Data</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-configure_user_data_backups_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify ufw Enabled</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-service_ufw_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1">
-      <ocil:title>Enable use of Berkeley Packet Filter with seccomp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
+      <ocil:title>Disable Kerberos Authentication</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_filter_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1">
-      <ocil:title>Configure auditd admin_space_left Action on Low Disk Space</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
+      <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1">
-      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1">
-      <ocil:title>Ensure auditd Collects File Deletion Events by User - unlinkat</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
+      <ocil:title>Set SSH Client Alive Interval</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1">
+      <ocil:title>Direct root Logins Not Allowed</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-no_direct_root_logins_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1">
-      <ocil:title>Randomize the kernel memory sections</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1">
+      <ocil:title>Configure Polyinstantiation of /tmp Directories</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_memory_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1">
+      <ocil:title>Disable IPv6 Networking Support Automatic Loading</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu1804-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_UBUNTU-BIONIC" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 18.04</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 18.04. It is a rendering of
@@ -43,10 +43,24 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_postfix">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -57,56 +71,53 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -114,19 +125,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -134,24 +140,29 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        </cpe-lang:logical-test>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="aarch64_arch">
+    <cpe-lang:platform id="machine">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="s390x_arch">
+    <cpe-lang:platform id="uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_audit">
@@ -159,25 +170,14 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_audit:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="uefi">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_uefi:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
+    <cpe-lang:platform id="package_shadow-utils">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu1804-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_package_ufw">
+    <cpe-lang:platform id="s390x_arch">
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu2004-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 20.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 20.04. It is a rendering of
@@ -76,15 +76,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_ufw">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -95,40 +109,53 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_pam">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -141,26 +168,15 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -168,24 +184,19 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nftables">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -193,29 +204,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu2004-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 20.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 20.04. It is a rendering of
@@ -76,15 +76,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_ufw">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            </cpe-lang:logical-test>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_postfix">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="non-uefi">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="machine_and_not_osbuild">
@@ -95,40 +109,53 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="machine_and_mount_tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="package_chrony_or_package_ntp">
+          <cpe-lang:logical-test operator="OR" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
+        <cpe-lang:platform id="package_pam">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="not_s390x_arch">
@@ -141,26 +168,15 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony_or_package_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_sudo">
@@ -168,24 +184,19 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nftables">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="grub2">
@@ -193,29 +204,29 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,472 +7,473 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_pam_enforcing_ocil:questionnaire:1">
+      <ocil:title>Ensure PAM Enforces Password Requirements - Enforcing</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_pam_enforcing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ensure_sudo_group_restricted_ocil:questionnaire:1">
+      <ocil:title>Ensure sudo group has only necessary members</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ensure_sudo_group_restricted_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ufw_rate_limit_ocil:questionnaire:1">
+      <ocil:title>ufw Must rate-limit network interfaces</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ufw_rate_limit_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1">
-      <ocil:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-zipl_audit_argument_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
-      <ocil:title>Configure server restrictions for ntpd</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-has_nonlocal_mta_ocil:questionnaire:1">
+      <ocil:title>Ensure Mail Transfer Agent is not Listening on any non-loopback Address</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-has_nonlocal_mta_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_sudo_log_events_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to perform maintenance activities</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_sudo_log_events_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-is_fips_mode_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify '/proc/sys/crypto/fips_enabled' exists</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-is_fips_mode_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_session_events_btmp_ocil:questionnaire:1">
-      <ocil:title>Record Attempts to Alter Process and Session Initiation Information btmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_session_events_btmp_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1">
+      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-smartcard_configure_ca_ocil:questionnaire:1">
-      <ocil:title>Configure Smart Card Certificate Authority Validation</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-smartcard_configure_ca_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
-      <ocil:title>Verify permissions of log files</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_nftables_loopback_traffic_ocil:questionnaire:1">
-      <ocil:title>Set nftables Configuration for Loopback Traffic</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_nginx_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall nginx Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_nftables_loopback_traffic_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_nginx_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
+      <ocil:title>Configure server restrictions for ntpd</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-bios_enable_execution_restrictions_ocil:questionnaire:1">
-      <ocil:title>Enable NX or XD Support in the BIOS</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-bios_enable_execution_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-group_unique_name_ocil:questionnaire:1">
-      <ocil:title>Ensure All Groups on the System Have Unique Group Names</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-group_unique_name_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_nginx_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall nginx Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
+      <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
       <ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2004-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_20-04" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 20.04</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 20.04. It is a rendering of
@@ -43,15 +43,29 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="package_ufw">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        </cpe-lang:logical-test>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_postfix">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="non-uefi">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="machine_and_not_osbuild">
@@ -62,40 +76,53 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="machine_and_mount_tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="machine_and_package_ufw">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="package_chrony_or_package_ntp">
+      <cpe-lang:logical-test operator="OR" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+      </cpe-lang:logical-test>
+    </cpe-lang:platform>
+    <cpe-lang:platform id="package_pam">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="not_s390x_arch">
@@ -108,26 +135,15 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony_or_package_ntp">
-      <cpe-lang:logical-test operator="OR" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_sudo">
@@ -135,24 +151,19 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nftables">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="grub2">
@@ -160,29 +171,29 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="wifi-iface">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2004-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        </cpe-lang:logical-test>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds-1.2.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu2204-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 22.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 22.04. It is a rendering of
@@ -76,64 +76,65 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_ufw">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_mount_tmp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -142,80 +143,80 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nftables">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="package_sudo">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="grub2">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ds.xml	2023-07-27 00:00:00.000000000 +0000
@@ -33,7 +33,7 @@
   </ds:component>
   <ds:component id="scap_org.open-scap_comp_ssg-ubuntu2204-xccdf.xml" timestamp="2023-07-27T00:00:00">
     <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+      <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 22.04</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 22.04. It is a rendering of
@@ -76,64 +76,65 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
       <cpe-lang:platform-specification>
-        <cpe-lang:platform id="package_ufw">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_s390x_arch">
+        <cpe-lang:platform id="wifi-iface">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_not_osbuild">
+        <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            </cpe-lang:logical-test>
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
             </cpe-lang:logical-test>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sssd">
+        <cpe-lang:platform id="package_postfix">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_postfix">
+        <cpe-lang:platform id="non-uefi">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_var-tmp">
+        <cpe-lang:platform id="machine_and_not_osbuild">
           <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:logical-test operator="AND" negate="true">
+              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+            </cpe-lang:logical-test>
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_pam">
+        <cpe-lang:platform id="package_ntp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_osbuild">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        <cpe-lang:platform id="machine_and_mount_tmp">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine">
+        <cpe-lang:platform id="machine_and_not_s390x_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_shadow-utils">
+        <cpe-lang:platform id="package_sssd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_rhcos4-rhel9">
-          <cpe-lang:logical-test operator="AND" negate="true">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+        <cpe-lang:platform id="machine_and_package_ufw">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -142,80 +143,80 @@
             <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_systemd">
+        <cpe-lang:platform id="package_nftables">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
+        <cpe-lang:platform id="package_gdm">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_mount_tmp">
+        <cpe-lang:platform id="package_pam">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_sudo">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+        <cpe-lang:platform id="not_rhcos4-rhel9">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_nftables">
+        <cpe-lang:platform id="package_chrony">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+        <cpe-lang:platform id="machine_and_mount_var-tmp">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:logical-test operator="AND" negate="true">
-              <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-            </cpe-lang:logical-test>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_gdm">
+        <cpe-lang:platform id="package_sudo">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
+        <cpe-lang:platform id="package_systemd">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
+        <cpe-lang:platform id="aarch64_arch">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_ntp">
+        <cpe-lang:platform id="package_ufw">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="package_chrony">
+        <cpe-lang:platform id="grub2">
           <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+        <cpe-lang:platform id="not_osbuild">
+          <cpe-lang:logical-test operator="AND" negate="true">
+            <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-ocil.xml	2023-07-27 00:00:00.000000000 +0000
@@ -7,2681 +7,2675 @@
     <ocil:timestamp>2023-07-27T00:00:00</ocil:timestamp>
   </ocil:generator>
   <ocil:questionnaires>
-    <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-      <ocil:title>Account Lockouts Must Persist</ocil:title>
-      <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
-      </ocil:actions>
-    </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-      <ocil:title>Enable SSH Warning Banner</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
+      <ocil:title>Disable kexec system call</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-      <ocil:title>Add nodev Option to /tmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-accounts_password_set_max_life_existing_ocil:questionnaire:1">
+      <ocil:title>Set Existing Passwords Maximum Age</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-accounts_password_set_max_life_existing_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_rpcbind_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall rpcbind Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
+      <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_rpcbind_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1">
-      <ocil:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-has_nonlocal_mta_ocil:questionnaire:1">
+      <ocil:title>Ensure Mail Transfer Agent is not Listening on any non-loopback Address</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-zipl_audit_argument_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-has_nonlocal_mta_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
-      <ocil:title>Configure server restrictions for ntpd</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_sudo_log_events_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to perform maintenance activities</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_sudo_log_events_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-      <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-is_fips_mode_enabled_ocil:questionnaire:1">
+      <ocil:title>Verify '/proc/sys/crypto/fips_enabled' exists</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-is_fips_mode_enabled_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-      <ocil:title>Disable Recovery Booting</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_owner_cron_hourly_ocil:questionnaire:1">
+      <ocil:title>Verify Owner on cron.hourly</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_owner_cron_hourly_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-      <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
+      <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-audit_rules_session_events_btmp_ocil:questionnaire:1">
-      <ocil:title>Record Attempts to Alter Process and Session Initiation Information btmp</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
+      <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-audit_rules_session_events_btmp_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-socket_systemd-journal-remote_disabled_ocil:questionnaire:1">
-      <ocil:title>Disable systemd-journal-remote Socket</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-sudo_require_reauthentication_ocil:questionnaire:1">
+      <ocil:title>Require Re-Authentication When Using the sudo Command</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-socket_systemd-journal-remote_disabled_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-sudo_require_reauthentication_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-      <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
+      <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-grub2_password_ocil:questionnaire:1">
-      <ocil:title>Set Boot Loader Password in grub2</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-grub2_password_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-      <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_percentage_ocil:questionnaire:1">
+      <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_percentage_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Group Who Owns shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
+      <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-permissions_local_var_log_ocil:questionnaire:1">
-      <ocil:title>Verify permissions of log files</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
+      <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-permissions_local_var_log_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_nftables_loopback_traffic_ocil:questionnaire:1">
-      <ocil:title>Set nftables Configuration for Loopback Traffic</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-package_nginx_removed_ocil:questionnaire:1">
+      <ocil:title>Uninstall nginx Package</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_nftables_loopback_traffic_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-package_nginx_removed_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-      <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-rsyslog_nolisten_ocil:questionnaire:1">
+      <ocil:title>Ensure rsyslog Does Not Accept Remote Messages Unless Acting As Log Server</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-rsyslog_nolisten_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-      <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-ntpd_configure_restrictions_ocil:questionnaire:1">
+      <ocil:title>Configure server restrictions for ntpd</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-ntpd_configure_restrictions_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-bios_enable_execution_restrictions_ocil:questionnaire:1">
-      <ocil:title>Enable NX or XD Support in the BIOS</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
+      <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-bios_enable_execution_restrictions_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-group_unique_name_ocil:questionnaire:1">
-      <ocil:title>Ensure All Groups on the System Have Unique Group Names</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
+      <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-group_unique_name_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
     </ocil:questionnaire>
-    <ocil:questionnaire id="ocil:ssg-package_nginx_removed_ocil:questionnaire:1">
-      <ocil:title>Uninstall nginx Package</ocil:title>
+    <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
+      <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
       <ocil:actions>
-        <ocil:test_action_ref>ocil:ssg-package_nginx_removed_action:testaction:1</ocil:test_action_ref>
+        <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
       </ocil:actions>
/usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml differs (XML 1.0 document, ASCII text, with very long lines)
--- old//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
+++ new//usr/share/xml/scap/ssg/content/ssg-ubuntu2204-xccdf.xml	2023-07-27 00:00:00.000000000 +0000
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
 <xccdf-1.2:Benchmark xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.ssgproject.content_benchmark_UBUNTU_22-04" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-  <xccdf-1.2:status date="2023-07-27">draft</xccdf-1.2:status>
+  <xccdf-1.2:status date="2039-08-29">draft</xccdf-1.2:status>
   <xccdf-1.2:title>Guide to the Secure Configuration of Ubuntu 22.04</xccdf-1.2:title>
   <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Ubuntu 22.04. It is a rendering of
@@ -43,64 +43,65 @@
 countries. All other names are registered trademarks or trademarks of their
 respective companies.</xccdf-1.2:rear-matter>
   <cpe-lang:platform-specification>
-    <cpe-lang:platform id="package_ufw">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-      </cpe-lang:logical-test>
-    </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_s390x_arch">
+    <cpe-lang:platform id="wifi-iface">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_not_osbuild">
+    <cpe-lang:platform id="not_package_chrony_and_not_package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        </cpe-lang:logical-test>
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
         </cpe-lang:logical-test>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sssd">
+    <cpe-lang:platform id="package_postfix">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_postfix">
+    <cpe-lang:platform id="non-uefi">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_postfix:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_var-tmp">
+    <cpe-lang:platform id="machine_and_not_osbuild">
       <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:logical-test operator="AND" negate="true">
+          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+        </cpe-lang:logical-test>
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_pam">
+    <cpe-lang:platform id="package_ntp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_osbuild">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
+    <cpe-lang:platform id="machine_and_mount_tmp">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine">
+    <cpe-lang:platform id="machine_and_not_s390x_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_shadow-utils">
+    <cpe-lang:platform id="package_sssd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_shadow-utils:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sssd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_rhcos4-rhel9">
-      <cpe-lang:logical-test operator="AND" negate="true">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
+    <cpe-lang:platform id="machine_and_package_ufw">
+      <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
     <cpe-lang:platform id="package_chrony_or_package_ntp">
@@ -109,80 +110,80 @@
         <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_systemd">
+    <cpe-lang:platform id="package_nftables">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="non-uefi">
+    <cpe-lang:platform id="package_gdm">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-system_boot_mode_is_non_uefi:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="machine_and_mount_tmp">
+    <cpe-lang:platform id="package_pam">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_tmp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_pam:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_sudo">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
+    <cpe-lang:platform id="not_rhcos4-rhel9">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_OS_is_rhcos4_rhel9:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_nftables">
+    <cpe-lang:platform id="package_chrony">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="not_package_nftables_and_not_package_ufw">
+    <cpe-lang:platform id="machine_and_mount_var-tmp">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_nftables:def:1"/>
-        </cpe-lang:logical-test>
-        <cpe-lang:logical-test operator="AND" negate="true">
-          <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
-        </cpe-lang:logical-test>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_a_machine:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_mount_var-tmp:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_gdm">
+    <cpe-lang:platform id="package_sudo">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_gdm:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_sudo:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="grub2">
+    <cpe-lang:platform id="package_systemd">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_systemd:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="wifi-iface">
+    <cpe-lang:platform id="aarch64_arch">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_wifi_interface:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_ntp">
+    <cpe-lang:platform id="package_ufw">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ntp:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_ufw:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="package_chrony">
+    <cpe-lang:platform id="grub2">
       <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-package_chrony:def:1"/>
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_has_grub2_package:def:1"/>
       </cpe-lang:logical-test>
     </cpe-lang:platform>
-    <cpe-lang:platform id="aarch64_arch">
-      <cpe-lang:logical-test operator="AND" negate="false">
-        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1"/>
+    <cpe-lang:platform id="not_osbuild">
+      <cpe-lang:logical-test operator="AND" negate="true">
+        <cpe-lang:check-fact-ref system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-ubuntu2204-cpe-oval.xml" id-ref="oval:ssg-installed_env_is_osbuild:def:1"/>
       </cpe-lang:logical-test>
overalldiffered=4 (number of pkgs that are not bit-by-bit identical: 0 is good)
overall=1